HMVMXR0.cpp@ 61680

Last change on this file since 61680 was 61648, checked in by vboxsync, 9 years ago
VMM/HM: Better handling of edge-cases during exceptions caused as a result of event injection.
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 578.6 KB

Line
1	/* $Id: HMVMXR0.cpp 61648 2016-06-10 10:14:16Z vboxsync $ */
2	/** @file
3	* HM VMX (Intel VT-x) - Host Context Ring-0.
4	*/
5
6	/*
7	* Copyright (C) 2012-2015 Oracle Corporation
8	*
9	* This file is part of VirtualBox Open Source Edition (OSE), as
10	* available from http://www.virtualbox.org. This file is free software;
11	* you can redistribute it and/or modify it under the terms of the GNU
12	* General Public License (GPL) as published by the Free Software
13	* Foundation, in version 2 as it comes in the "COPYING" file of the
14	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16	*/
17
18
19	/*********************************************************************************************************************************
20	* Header Files *
21	*********************************************************************************************************************************/
22	#define LOG_GROUP LOG_GROUP_HM
23	#include <iprt/x86.h>
24	#include <iprt/asm-amd64-x86.h>
25	#include <iprt/thread.h>
26
27	#include <VBox/vmm/pdmapi.h>
28	#include <VBox/vmm/dbgf.h>
29	#include <VBox/vmm/iem.h>
30	#include <VBox/vmm/iom.h>
31	#include <VBox/vmm/selm.h>
32	#include <VBox/vmm/tm.h>
33	#include <VBox/vmm/gim.h>
34	#ifdef VBOX_WITH_REM
35	# include <VBox/vmm/rem.h>
36	#endif
37	#ifdef VBOX_WITH_NEW_APIC
38	# include <VBox/vmm/apic.h>
39	#endif
40	#include "HMInternal.h"
41	#include <VBox/vmm/vm.h>
42	#include "HMVMXR0.h"
43	#include "dtrace/VBoxVMM.h"
44
45	#ifdef DEBUG_ramshankar
46	# define HMVMX_ALWAYS_SAVE_GUEST_RFLAGS
47	# define HMVMX_ALWAYS_SAVE_FULL_GUEST_STATE
48	# define HMVMX_ALWAYS_SYNC_FULL_GUEST_STATE
49	# define HMVMX_ALWAYS_CHECK_GUEST_STATE
50	# define HMVMX_ALWAYS_TRAP_ALL_XCPTS
51	# define HMVMX_ALWAYS_TRAP_PF
52	# define HMVMX_ALWAYS_SWAP_FPU_STATE
53	# define HMVMX_ALWAYS_FLUSH_TLB
54	# define HMVMX_ALWAYS_SWAP_EFER
55	#endif
56
57
58	/*********************************************************************************************************************************
59	* Defined Constants And Macros *
60	*********************************************************************************************************************************/
61	/** Use the function table. */
62	#define HMVMX_USE_FUNCTION_TABLE
63
64	/** Determine which tagged-TLB flush handler to use. */
65	#define HMVMX_FLUSH_TAGGED_TLB_EPT_VPID 0
66	#define HMVMX_FLUSH_TAGGED_TLB_EPT 1
67	#define HMVMX_FLUSH_TAGGED_TLB_VPID 2
68	#define HMVMX_FLUSH_TAGGED_TLB_NONE 3
69
70	/** @name Updated-guest-state flags.
71	* @{ */
72	#define HMVMX_UPDATED_GUEST_RIP RT_BIT(0)
73	#define HMVMX_UPDATED_GUEST_RSP RT_BIT(1)
74	#define HMVMX_UPDATED_GUEST_RFLAGS RT_BIT(2)
75	#define HMVMX_UPDATED_GUEST_CR0 RT_BIT(3)
76	#define HMVMX_UPDATED_GUEST_CR3 RT_BIT(4)
77	#define HMVMX_UPDATED_GUEST_CR4 RT_BIT(5)
78	#define HMVMX_UPDATED_GUEST_GDTR RT_BIT(6)
79	#define HMVMX_UPDATED_GUEST_IDTR RT_BIT(7)
80	#define HMVMX_UPDATED_GUEST_LDTR RT_BIT(8)
81	#define HMVMX_UPDATED_GUEST_TR RT_BIT(9)
82	#define HMVMX_UPDATED_GUEST_SEGMENT_REGS RT_BIT(10)
83	#define HMVMX_UPDATED_GUEST_DEBUG RT_BIT(11)
84	#define HMVMX_UPDATED_GUEST_SYSENTER_CS_MSR RT_BIT(12)
85	#define HMVMX_UPDATED_GUEST_SYSENTER_EIP_MSR RT_BIT(13)
86	#define HMVMX_UPDATED_GUEST_SYSENTER_ESP_MSR RT_BIT(14)
87	#define HMVMX_UPDATED_GUEST_AUTO_LOAD_STORE_MSRS RT_BIT(15)
88	#define HMVMX_UPDATED_GUEST_LAZY_MSRS RT_BIT(16)
89	#define HMVMX_UPDATED_GUEST_ACTIVITY_STATE RT_BIT(17)
90	#define HMVMX_UPDATED_GUEST_INTR_STATE RT_BIT(18)
91	#define HMVMX_UPDATED_GUEST_APIC_STATE RT_BIT(19)
92	#define HMVMX_UPDATED_GUEST_ALL ( HMVMX_UPDATED_GUEST_RIP \
93	\| HMVMX_UPDATED_GUEST_RSP \
94	\| HMVMX_UPDATED_GUEST_RFLAGS \
95	\| HMVMX_UPDATED_GUEST_CR0 \
96	\| HMVMX_UPDATED_GUEST_CR3 \
97	\| HMVMX_UPDATED_GUEST_CR4 \
98	\| HMVMX_UPDATED_GUEST_GDTR \
99	\| HMVMX_UPDATED_GUEST_IDTR \
100	\| HMVMX_UPDATED_GUEST_LDTR \
101	\| HMVMX_UPDATED_GUEST_TR \
102	\| HMVMX_UPDATED_GUEST_SEGMENT_REGS \
103	\| HMVMX_UPDATED_GUEST_DEBUG \
104	\| HMVMX_UPDATED_GUEST_SYSENTER_CS_MSR \
105	\| HMVMX_UPDATED_GUEST_SYSENTER_EIP_MSR \
106	\| HMVMX_UPDATED_GUEST_SYSENTER_ESP_MSR \
107	\| HMVMX_UPDATED_GUEST_AUTO_LOAD_STORE_MSRS \
108	\| HMVMX_UPDATED_GUEST_LAZY_MSRS \
109	\| HMVMX_UPDATED_GUEST_ACTIVITY_STATE \
110	\| HMVMX_UPDATED_GUEST_INTR_STATE \
111	\| HMVMX_UPDATED_GUEST_APIC_STATE)
112	/** @} */
113
114	/** @name
115	* Flags to skip redundant reads of some common VMCS fields that are not part of
116	* the guest-CPU state but are in the transient structure.
117	*/
118	#define HMVMX_UPDATED_TRANSIENT_IDT_VECTORING_INFO RT_BIT(0)
119	#define HMVMX_UPDATED_TRANSIENT_IDT_VECTORING_ERROR_CODE RT_BIT(1)
120	#define HMVMX_UPDATED_TRANSIENT_EXIT_QUALIFICATION RT_BIT(2)
121	#define HMVMX_UPDATED_TRANSIENT_EXIT_INSTR_LEN RT_BIT(3)
122	#define HMVMX_UPDATED_TRANSIENT_EXIT_INTERRUPTION_INFO RT_BIT(4)
123	#define HMVMX_UPDATED_TRANSIENT_EXIT_INTERRUPTION_ERROR_CODE RT_BIT(5)
124	#define HMVMX_UPDATED_TRANSIENT_EXIT_INSTR_INFO RT_BIT(6)
125	/** @} */
126
127	/** @name
128	* States of the VMCS.
129	*
130	* This does not reflect all possible VMCS states but currently only those
131	* needed for maintaining the VMCS consistently even when thread-context hooks
132	* are used. Maybe later this can be extended (i.e. Nested Virtualization).
133	*/
134	#define HMVMX_VMCS_STATE_CLEAR RT_BIT(0)
135	#define HMVMX_VMCS_STATE_ACTIVE RT_BIT(1)
136	#define HMVMX_VMCS_STATE_LAUNCHED RT_BIT(2)
137	/** @} */
138
139	/**
140	* Exception bitmap mask for real-mode guests (real-on-v86).
141	*
142	* We need to intercept all exceptions manually except:
143	* - \#NM, \#MF handled in hmR0VmxLoadSharedCR0().
144	* - \#AC and \#DB are always intercepted to prevent the CPU from deadlocking
145	* due to bugs in Intel CPUs.
146	* - \#PF need not be intercepted even in real-mode if we have Nested Paging
147	* support.
148	*/
149	#define HMVMX_REAL_MODE_XCPT_MASK ( RT_BIT(X86_XCPT_DE) /* always: \| RT_BIT(X86_XCPT_DB) */ \| RT_BIT(X86_XCPT_NMI) \
150	\| RT_BIT(X86_XCPT_BP) \| RT_BIT(X86_XCPT_OF) \| RT_BIT(X86_XCPT_BR) \
151	\| RT_BIT(X86_XCPT_UD) /* RT_BIT(X86_XCPT_NM) */ \| RT_BIT(X86_XCPT_DF) \
152	\| RT_BIT(X86_XCPT_CO_SEG_OVERRUN) \| RT_BIT(X86_XCPT_TS) \| RT_BIT(X86_XCPT_NP) \
153	\| RT_BIT(X86_XCPT_SS) \| RT_BIT(X86_XCPT_GP) /* RT_BIT(X86_XCPT_PF) */ \
154	/* RT_BIT(X86_XCPT_MF) always: \| RT_BIT(X86_XCPT_AC) */ \| RT_BIT(X86_XCPT_MC) \
155	\| RT_BIT(X86_XCPT_XF))
156
157	/**
158	* Exception bitmap mask for all contributory exceptions.
159	*
160	* Page fault is deliberately excluded here as it's conditional as to whether
161	* it's contributory or benign. Page faults are handled separately.
162	*/
163	#define HMVMX_CONTRIBUTORY_XCPT_MASK ( RT_BIT(X86_XCPT_GP) \| RT_BIT(X86_XCPT_NP) \| RT_BIT(X86_XCPT_SS) \| RT_BIT(X86_XCPT_TS) \
164	\| RT_BIT(X86_XCPT_DE))
165
166	/** Maximum VM-instruction error number. */
167	#define HMVMX_INSTR_ERROR_MAX 28
168
169	/** Profiling macro. */
170	#ifdef HM_PROFILE_EXIT_DISPATCH
171	# define HMVMX_START_EXIT_DISPATCH_PROF() STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatExitDispatch, ed)
172	# define HMVMX_STOP_EXIT_DISPATCH_PROF() STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExitDispatch, ed)
173	#else
174	# define HMVMX_START_EXIT_DISPATCH_PROF() do { } while (0)
175	# define HMVMX_STOP_EXIT_DISPATCH_PROF() do { } while (0)
176	#endif
177
178	/** Assert that preemption is disabled or covered by thread-context hooks. */
179	#define HMVMX_ASSERT_PREEMPT_SAFE() Assert( VMMR0ThreadCtxHookIsEnabled(pVCpu) \
180	\|\| !RTThreadPreemptIsEnabled(NIL_RTTHREAD));
181
182	/** Assert that we haven't migrated CPUs when thread-context hooks are not
183	* used. */
184	#define HMVMX_ASSERT_CPU_SAFE() AssertMsg( VMMR0ThreadCtxHookIsEnabled(pVCpu) \
185	\|\| pVCpu->hm.s.idEnteredCpu == RTMpCpuId(), \
186	("Illegal migration! Entered on CPU %u Current %u\n", \
187	pVCpu->hm.s.idEnteredCpu, RTMpCpuId())); \
188
189	/** Helper macro for VM-exit handlers called unexpectedly. */
190	#define HMVMX_RETURN_UNEXPECTED_EXIT() \
191	do { \
192	pVCpu->hm.s.u32HMError = pVmxTransient->uExitReason; \
193	return VERR_VMX_UNEXPECTED_EXIT; \
194	} while (0)
195
196
197	/*********************************************************************************************************************************
198	* Structures and Typedefs *
199	*********************************************************************************************************************************/
200	/**
201	* VMX transient state.
202	*
203	* A state structure for holding miscellaneous information across
204	* VMX non-root operation and restored after the transition.
205	*/
206	typedef struct VMXTRANSIENT
207	{
208	/** The host's rflags/eflags. */
209	RTCCUINTREG fEFlags;
210	#if HC_ARCH_BITS == 32
211	uint32_t u32Alignment0;
212	#endif
213	/** The guest's TPR value used for TPR shadowing. */
214	uint8_t u8GuestTpr;
215	/** Alignment. */
216	uint8_t abAlignment0[7];
217
218	/** The basic VM-exit reason. */
219	uint16_t uExitReason;
220	/** Alignment. */
221	uint16_t u16Alignment0;
222	/** The VM-exit interruption error code. */
223	uint32_t uExitIntErrorCode;
224	/** The VM-exit exit code qualification. */
225	uint64_t uExitQualification;
226
227	/** The VM-exit interruption-information field. */
228	uint32_t uExitIntInfo;
229	/** The VM-exit instruction-length field. */
230	uint32_t cbInstr;
231	/** The VM-exit instruction-information field. */
232	union
233	{
234	/** Plain unsigned int representation. */
235	uint32_t u;
236	/** INS and OUTS information. */
237	struct
238	{
239	uint32_t u7Reserved0 : 7;
240	/** The address size; 0=16-bit, 1=32-bit, 2=64-bit, rest undefined. */
241	uint32_t u3AddrSize : 3;
242	uint32_t u5Reserved1 : 5;
243	/** The segment register (X86_SREG_XXX). */
244	uint32_t iSegReg : 3;
245	uint32_t uReserved2 : 14;
246	} StrIo;
247	} ExitInstrInfo;
248	/** Whether the VM-entry failed or not. */
249	bool fVMEntryFailed;
250	/** Alignment. */
251	uint8_t abAlignment1[3];
252
253	/** The VM-entry interruption-information field. */
254	uint32_t uEntryIntInfo;
255	/** The VM-entry exception error code field. */
256	uint32_t uEntryXcptErrorCode;
257	/** The VM-entry instruction length field. */
258	uint32_t cbEntryInstr;
259
260	/** IDT-vectoring information field. */
261	uint32_t uIdtVectoringInfo;
262	/** IDT-vectoring error code. */
263	uint32_t uIdtVectoringErrorCode;
264
265	/** Mask of currently read VMCS fields; HMVMX_UPDATED_TRANSIENT_. /
266	uint32_t fVmcsFieldsRead;
267
268	/** Whether the guest FPU was active at the time of VM-exit. */
269	bool fWasGuestFPUStateActive;
270	/** Whether the guest debug state was active at the time of VM-exit. */
271	bool fWasGuestDebugStateActive;
272	/** Whether the hyper debug state was active at the time of VM-exit. */
273	bool fWasHyperDebugStateActive;
274	/** Whether TSC-offsetting should be setup before VM-entry. */
275	bool fUpdateTscOffsettingAndPreemptTimer;
276	/** Whether the VM-exit was caused by a page-fault during delivery of a
277	* contributory exception or a page-fault. */
278	bool fVectoringDoublePF;
279	/** Whether the VM-exit was caused by a page-fault during delivery of an
280	* external interrupt or NMI. */
281	bool fVectoringPF;
282	} VMXTRANSIENT;
283	AssertCompileMemberAlignment(VMXTRANSIENT, uExitReason, sizeof(uint64_t));
284	AssertCompileMemberAlignment(VMXTRANSIENT, uExitIntInfo, sizeof(uint64_t));
285	AssertCompileMemberAlignment(VMXTRANSIENT, uEntryIntInfo, sizeof(uint64_t));
286	AssertCompileMemberAlignment(VMXTRANSIENT, fWasGuestFPUStateActive, sizeof(uint64_t));
287	AssertCompileMemberSize(VMXTRANSIENT, ExitInstrInfo, sizeof(uint32_t));
288	/** Pointer to VMX transient state. */
289	typedef VMXTRANSIENT *PVMXTRANSIENT;
290
291
292	/**
293	* MSR-bitmap read permissions.
294	*/
295	typedef enum VMXMSREXITREAD
296	{
297	/** Reading this MSR causes a VM-exit. */
298	VMXMSREXIT_INTERCEPT_READ = 0xb,
299	/** Reading this MSR does not cause a VM-exit. */
300	VMXMSREXIT_PASSTHRU_READ
301	} VMXMSREXITREAD;
302	/** Pointer to MSR-bitmap read permissions. */
303	typedef VMXMSREXITREAD* PVMXMSREXITREAD;
304
305	/**
306	* MSR-bitmap write permissions.
307	*/
308	typedef enum VMXMSREXITWRITE
309	{
310	/** Writing to this MSR causes a VM-exit. */
311	VMXMSREXIT_INTERCEPT_WRITE = 0xd,
312	/** Writing to this MSR does not cause a VM-exit. */
313	VMXMSREXIT_PASSTHRU_WRITE
314	} VMXMSREXITWRITE;
315	/** Pointer to MSR-bitmap write permissions. */
316	typedef VMXMSREXITWRITE* PVMXMSREXITWRITE;
317
318
319	/**
320	* VMX VM-exit handler.
321	*
322	* @returns Strict VBox status code (i.e. informational status codes too).
323	* @param pVCpu The cross context virtual CPU structure.
324	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
325	* out-of-sync. Make sure to update the required
326	* fields before using them.
327	* @param pVmxTransient Pointer to the VMX-transient structure.
328	*/
329	#ifndef HMVMX_USE_FUNCTION_TABLE
330	typedef DECLINLINE(VBOXSTRICTRC) FNVMXEXITHANDLER(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient);
331	#else
332	typedef DECLCALLBACK(VBOXSTRICTRC) FNVMXEXITHANDLER(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient);
333	/** Pointer to VM-exit handler. */
334	typedef FNVMXEXITHANDLER *PFNVMXEXITHANDLER;
335	#endif
336
337	/**
338	* VMX VM-exit handler, non-strict status code.
339	*
340	* This is generally the same as FNVMXEXITHANDLER, the NSRC bit is just FYI.
341	*
342	* @returns VBox status code, no informational status code returned.
343	* @param pVCpu The cross context virtual CPU structure.
344	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
345	* out-of-sync. Make sure to update the required
346	* fields before using them.
347	* @param pVmxTransient Pointer to the VMX-transient structure.
348	*
349	* @remarks This is not used on anything returning VERR_EM_INTERPRETER as the
350	* use of that status code will be replaced with VINF_EM_SOMETHING
351	* later when switching over to IEM.
352	*/
353	#ifndef HMVMX_USE_FUNCTION_TABLE
354	typedef DECLINLINE(int) FNVMXEXITHANDLERNSRC(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient);
355	#else
356	typedef FNVMXEXITHANDLER FNVMXEXITHANDLERNSRC;
357	#endif
358
359
360	/*********************************************************************************************************************************
361	* Internal Functions *
362	*********************************************************************************************************************************/
363	static void hmR0VmxFlushEpt(PVMCPU pVCpu, VMXFLUSHEPT enmFlush);
364	static void hmR0VmxFlushVpid(PVM pVM, PVMCPU pVCpu, VMXFLUSHVPID enmFlush, RTGCPTR GCPtr);
365	static void hmR0VmxClearIntNmiWindowsVmcs(PVMCPU pVCpu);
366	static VBOXSTRICTRC hmR0VmxInjectEventVmcs(PVMCPU pVCpu, PCPUMCTX pMixedCtx, uint64_t u64IntInfo, uint32_t cbInstr,
367	uint32_t u32ErrCode, RTGCUINTREG GCPtrFaultAddress,
368	bool fStepping, uint32_t *puIntState);
369	#if HC_ARCH_BITS == 32
370	static int hmR0VmxInitVmcsReadCache(PVM pVM, PVMCPU pVCpu);
371	#endif
372	#ifndef HMVMX_USE_FUNCTION_TABLE
373	DECLINLINE(VBOXSTRICTRC) hmR0VmxHandleExit(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient, uint32_t rcReason);
374	# define HMVMX_EXIT_DECL DECLINLINE(VBOXSTRICTRC)
375	# define HMVMX_EXIT_NSRC_DECL DECLINLINE(int)
376	#else
377	# define HMVMX_EXIT_DECL static DECLCALLBACK(VBOXSTRICTRC)
378	# define HMVMX_EXIT_NSRC_DECL HMVMX_EXIT_DECL
379	#endif
380
381
382	/** @name VM-exit handlers.
383	* @{
384	*/
385	static FNVMXEXITHANDLER hmR0VmxExitXcptOrNmi;
386	static FNVMXEXITHANDLER hmR0VmxExitExtInt;
387	static FNVMXEXITHANDLER hmR0VmxExitTripleFault;
388	static FNVMXEXITHANDLERNSRC hmR0VmxExitInitSignal;
389	static FNVMXEXITHANDLERNSRC hmR0VmxExitSipi;
390	static FNVMXEXITHANDLERNSRC hmR0VmxExitIoSmi;
391	static FNVMXEXITHANDLERNSRC hmR0VmxExitSmi;
392	static FNVMXEXITHANDLERNSRC hmR0VmxExitIntWindow;
393	static FNVMXEXITHANDLERNSRC hmR0VmxExitNmiWindow;
394	static FNVMXEXITHANDLER hmR0VmxExitTaskSwitch;
395	static FNVMXEXITHANDLER hmR0VmxExitCpuid;
396	static FNVMXEXITHANDLER hmR0VmxExitGetsec;
397	static FNVMXEXITHANDLER hmR0VmxExitHlt;
398	static FNVMXEXITHANDLERNSRC hmR0VmxExitInvd;
399	static FNVMXEXITHANDLER hmR0VmxExitInvlpg;
400	static FNVMXEXITHANDLER hmR0VmxExitRdpmc;
401	static FNVMXEXITHANDLER hmR0VmxExitVmcall;
402	static FNVMXEXITHANDLER hmR0VmxExitRdtsc;
403	static FNVMXEXITHANDLERNSRC hmR0VmxExitRsm;
404	static FNVMXEXITHANDLERNSRC hmR0VmxExitSetPendingXcptUD;
405	static FNVMXEXITHANDLER hmR0VmxExitMovCRx;
406	static FNVMXEXITHANDLER hmR0VmxExitMovDRx;
407	static FNVMXEXITHANDLER hmR0VmxExitIoInstr;
408	static FNVMXEXITHANDLER hmR0VmxExitRdmsr;
409	static FNVMXEXITHANDLER hmR0VmxExitWrmsr;
410	static FNVMXEXITHANDLERNSRC hmR0VmxExitErrInvalidGuestState;
411	static FNVMXEXITHANDLERNSRC hmR0VmxExitErrMsrLoad;
412	static FNVMXEXITHANDLERNSRC hmR0VmxExitErrUndefined;
413	static FNVMXEXITHANDLER hmR0VmxExitMwait;
414	static FNVMXEXITHANDLER hmR0VmxExitMtf;
415	static FNVMXEXITHANDLER hmR0VmxExitMonitor;
416	static FNVMXEXITHANDLER hmR0VmxExitPause;
417	static FNVMXEXITHANDLERNSRC hmR0VmxExitErrMachineCheck;
418	static FNVMXEXITHANDLERNSRC hmR0VmxExitTprBelowThreshold;
419	static FNVMXEXITHANDLER hmR0VmxExitApicAccess;
420	static FNVMXEXITHANDLER hmR0VmxExitXdtrAccess;
421	static FNVMXEXITHANDLER hmR0VmxExitXdtrAccess;
422	static FNVMXEXITHANDLER hmR0VmxExitEptViolation;
423	static FNVMXEXITHANDLER hmR0VmxExitEptMisconfig;
424	static FNVMXEXITHANDLER hmR0VmxExitRdtscp;
425	static FNVMXEXITHANDLER hmR0VmxExitPreemptTimer;
426	static FNVMXEXITHANDLERNSRC hmR0VmxExitWbinvd;
427	static FNVMXEXITHANDLER hmR0VmxExitXsetbv;
428	static FNVMXEXITHANDLER hmR0VmxExitRdrand;
429	static FNVMXEXITHANDLER hmR0VmxExitInvpcid;
430	/** @} */
431
432	static int hmR0VmxExitXcptNM(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient);
433	static int hmR0VmxExitXcptPF(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient);
434	static int hmR0VmxExitXcptMF(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient);
435	static int hmR0VmxExitXcptDB(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient);
436	static int hmR0VmxExitXcptBP(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient);
437	static int hmR0VmxExitXcptGP(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient);
438	static int hmR0VmxExitXcptAC(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient);
439	static int hmR0VmxExitXcptGeneric(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient);
440	static uint32_t hmR0VmxCheckGuestState(PVM pVM, PVMCPU pVCpu, PCPUMCTX pCtx);
441
442
443	/*********************************************************************************************************************************
444	* Global Variables *
445	*********************************************************************************************************************************/
446	#ifdef HMVMX_USE_FUNCTION_TABLE
447
448	/**
449	* VMX_EXIT dispatch table.
450	*/
451	static const PFNVMXEXITHANDLER g_apfnVMExitHandlers[VMX_EXIT_MAX + 1] =
452	{
453	/* 00 VMX_EXIT_XCPT_OR_NMI */ hmR0VmxExitXcptOrNmi,
454	/* 01 VMX_EXIT_EXT_INT */ hmR0VmxExitExtInt,
455	/* 02 VMX_EXIT_TRIPLE_FAULT */ hmR0VmxExitTripleFault,
456	/* 03 VMX_EXIT_INIT_SIGNAL */ hmR0VmxExitInitSignal,
457	/* 04 VMX_EXIT_SIPI */ hmR0VmxExitSipi,
458	/* 05 VMX_EXIT_IO_SMI */ hmR0VmxExitIoSmi,
459	/* 06 VMX_EXIT_SMI */ hmR0VmxExitSmi,
460	/* 07 VMX_EXIT_INT_WINDOW */ hmR0VmxExitIntWindow,
461	/* 08 VMX_EXIT_NMI_WINDOW */ hmR0VmxExitNmiWindow,
462	/* 09 VMX_EXIT_TASK_SWITCH */ hmR0VmxExitTaskSwitch,
463	/* 10 VMX_EXIT_CPUID */ hmR0VmxExitCpuid,
464	/* 11 VMX_EXIT_GETSEC */ hmR0VmxExitGetsec,
465	/* 12 VMX_EXIT_HLT */ hmR0VmxExitHlt,
466	/* 13 VMX_EXIT_INVD */ hmR0VmxExitInvd,
467	/* 14 VMX_EXIT_INVLPG */ hmR0VmxExitInvlpg,
468	/* 15 VMX_EXIT_RDPMC */ hmR0VmxExitRdpmc,
469	/* 16 VMX_EXIT_RDTSC */ hmR0VmxExitRdtsc,
470	/* 17 VMX_EXIT_RSM */ hmR0VmxExitRsm,
471	/* 18 VMX_EXIT_VMCALL */ hmR0VmxExitVmcall,
472	/* 19 VMX_EXIT_VMCLEAR */ hmR0VmxExitSetPendingXcptUD,
473	/* 20 VMX_EXIT_VMLAUNCH */ hmR0VmxExitSetPendingXcptUD,
474	/* 21 VMX_EXIT_VMPTRLD */ hmR0VmxExitSetPendingXcptUD,
475	/* 22 VMX_EXIT_VMPTRST */ hmR0VmxExitSetPendingXcptUD,
476	/* 23 VMX_EXIT_VMREAD */ hmR0VmxExitSetPendingXcptUD,
477	/* 24 VMX_EXIT_VMRESUME */ hmR0VmxExitSetPendingXcptUD,
478	/* 25 VMX_EXIT_VMWRITE */ hmR0VmxExitSetPendingXcptUD,
479	/* 26 VMX_EXIT_VMXOFF */ hmR0VmxExitSetPendingXcptUD,
480	/* 27 VMX_EXIT_VMXON */ hmR0VmxExitSetPendingXcptUD,
481	/* 28 VMX_EXIT_MOV_CRX */ hmR0VmxExitMovCRx,
482	/* 29 VMX_EXIT_MOV_DRX */ hmR0VmxExitMovDRx,
483	/* 30 VMX_EXIT_IO_INSTR */ hmR0VmxExitIoInstr,
484	/* 31 VMX_EXIT_RDMSR */ hmR0VmxExitRdmsr,
485	/* 32 VMX_EXIT_WRMSR */ hmR0VmxExitWrmsr,
486	/* 33 VMX_EXIT_ERR_INVALID_GUEST_STATE */ hmR0VmxExitErrInvalidGuestState,
487	/* 34 VMX_EXIT_ERR_MSR_LOAD */ hmR0VmxExitErrMsrLoad,
488	/* 35 UNDEFINED */ hmR0VmxExitErrUndefined,
489	/* 36 VMX_EXIT_MWAIT */ hmR0VmxExitMwait,
490	/* 37 VMX_EXIT_MTF */ hmR0VmxExitMtf,
491	/* 38 UNDEFINED */ hmR0VmxExitErrUndefined,
492	/* 39 VMX_EXIT_MONITOR */ hmR0VmxExitMonitor,
493	/* 40 UNDEFINED */ hmR0VmxExitPause,
494	/* 41 VMX_EXIT_PAUSE */ hmR0VmxExitErrMachineCheck,
495	/* 42 VMX_EXIT_ERR_MACHINE_CHECK */ hmR0VmxExitErrUndefined,
496	/* 43 VMX_EXIT_TPR_BELOW_THRESHOLD */ hmR0VmxExitTprBelowThreshold,
497	/* 44 VMX_EXIT_APIC_ACCESS */ hmR0VmxExitApicAccess,
498	/* 45 UNDEFINED */ hmR0VmxExitErrUndefined,
499	/* 46 VMX_EXIT_XDTR_ACCESS */ hmR0VmxExitXdtrAccess,
500	/* 47 VMX_EXIT_TR_ACCESS */ hmR0VmxExitXdtrAccess,
501	/* 48 VMX_EXIT_EPT_VIOLATION */ hmR0VmxExitEptViolation,
502	/* 49 VMX_EXIT_EPT_MISCONFIG */ hmR0VmxExitEptMisconfig,
503	/* 50 VMX_EXIT_INVEPT */ hmR0VmxExitSetPendingXcptUD,
504	/* 51 VMX_EXIT_RDTSCP */ hmR0VmxExitRdtscp,
505	/* 52 VMX_EXIT_PREEMPT_TIMER */ hmR0VmxExitPreemptTimer,
506	/* 53 VMX_EXIT_INVVPID */ hmR0VmxExitSetPendingXcptUD,
507	/* 54 VMX_EXIT_WBINVD */ hmR0VmxExitWbinvd,
508	/* 55 VMX_EXIT_XSETBV */ hmR0VmxExitXsetbv,
509	/* 56 VMX_EXIT_APIC_WRITE */ hmR0VmxExitErrUndefined,
510	/* 57 VMX_EXIT_RDRAND */ hmR0VmxExitRdrand,
511	/* 58 VMX_EXIT_INVPCID */ hmR0VmxExitInvpcid,
512	/* 59 VMX_EXIT_VMFUNC */ hmR0VmxExitSetPendingXcptUD,
513	/* 60 VMX_EXIT_RESERVED_60 */ hmR0VmxExitErrUndefined,
514	/* 61 VMX_EXIT_RDSEED / hmR0VmxExitErrUndefined, / only spurious exits, so undefined */
515	/* 62 VMX_EXIT_RESERVED_62 */ hmR0VmxExitErrUndefined,
516	/* 63 VMX_EXIT_XSAVES */ hmR0VmxExitSetPendingXcptUD,
517	/* 64 VMX_EXIT_XRSTORS */ hmR0VmxExitSetPendingXcptUD,
518	};
519	#endif /* HMVMX_USE_FUNCTION_TABLE */
520
521	#ifdef VBOX_STRICT
522	static const char * const g_apszVmxInstrErrors[HMVMX_INSTR_ERROR_MAX + 1] =
523	{
524	/* 0 */ "(Not Used)",
525	/* 1 */ "VMCALL executed in VMX root operation.",
526	/* 2 */ "VMCLEAR with invalid physical address.",
527	/* 3 */ "VMCLEAR with VMXON pointer.",
528	/* 4 */ "VMLAUNCH with non-clear VMCS.",
529	/* 5 */ "VMRESUME with non-launched VMCS.",
530	/* 6 */ "VMRESUME after VMXOFF",
531	/* 7 */ "VM-entry with invalid control fields.",
532	/* 8 */ "VM-entry with invalid host state fields.",
533	/* 9 */ "VMPTRLD with invalid physical address.",
534	/* 10 */ "VMPTRLD with VMXON pointer.",
535	/* 11 */ "VMPTRLD with incorrect revision identifier.",
536	/* 12 */ "VMREAD/VMWRITE from/to unsupported VMCS component.",
537	/* 13 */ "VMWRITE to read-only VMCS component.",
538	/* 14 */ "(Not Used)",
539	/* 15 */ "VMXON executed in VMX root operation.",
540	/* 16 */ "VM-entry with invalid executive-VMCS pointer.",
541	/* 17 */ "VM-entry with non-launched executing VMCS.",
542	/* 18 */ "VM-entry with executive-VMCS pointer not VMXON pointer.",
543	/* 19 */ "VMCALL with non-clear VMCS.",
544	/* 20 */ "VMCALL with invalid VM-exit control fields.",
545	/* 21 */ "(Not Used)",
546	/* 22 */ "VMCALL with incorrect MSEG revision identifier.",
547	/* 23 */ "VMXOFF under dual monitor treatment of SMIs and SMM.",
548	/* 24 */ "VMCALL with invalid SMM-monitor features.",
549	/* 25 */ "VM-entry with invalid VM-execution control fields in executive VMCS.",
550	/* 26 */ "VM-entry with events blocked by MOV SS.",
551	/* 27 */ "(Not Used)",
552	/* 28 */ "Invalid operand to INVEPT/INVVPID."
553	};
554	#endif /* VBOX_STRICT */
555
556
557
558	/**
559	* Updates the VM's last error record.
560	*
561	* If there was a VMX instruction error, reads the error data from the VMCS and
562	* updates VCPU's last error record as well.
563	*
564	* @param pVM The cross context VM structure.
565	* @param pVCpu The cross context virtual CPU structure of the calling EMT.
566	* Can be NULL if @a rc is not VERR_VMX_UNABLE_TO_START_VM or
567	* VERR_VMX_INVALID_VMCS_FIELD.
568	* @param rc The error code.
569	*/
570	static void hmR0VmxUpdateErrorRecord(PVM pVM, PVMCPU pVCpu, int rc)
571	{
572	AssertPtr(pVM);
573	if ( rc == VERR_VMX_INVALID_VMCS_FIELD
574	\|\| rc == VERR_VMX_UNABLE_TO_START_VM)
575	{
576	AssertPtrReturnVoid(pVCpu);
577	VMXReadVmcs32(VMX_VMCS32_RO_VM_INSTR_ERROR, &pVCpu->hm.s.vmx.LastError.u32InstrError);
578	}
579	pVM->hm.s.lLastError = rc;
580	}
581
582
583	/**
584	* Reads the VM-entry interruption-information field from the VMCS into the VMX
585	* transient structure.
586	*
587	* @returns VBox status code.
588	* @param pVmxTransient Pointer to the VMX transient structure.
589	*
590	* @remarks No-long-jump zone!!!
591	*/
592	DECLINLINE(int) hmR0VmxReadEntryIntInfoVmcs(PVMXTRANSIENT pVmxTransient)
593	{
594	int rc = VMXReadVmcs32(VMX_VMCS32_CTRL_ENTRY_INTERRUPTION_INFO, &pVmxTransient->uEntryIntInfo);
595	AssertRCReturn(rc, rc);
596	return VINF_SUCCESS;
597	}
598
599
600	/**
601	* Reads the VM-entry exception error code field from the VMCS into
602	* the VMX transient structure.
603	*
604	* @returns VBox status code.
605	* @param pVmxTransient Pointer to the VMX transient structure.
606	*
607	* @remarks No-long-jump zone!!!
608	*/
609	DECLINLINE(int) hmR0VmxReadEntryXcptErrorCodeVmcs(PVMXTRANSIENT pVmxTransient)
610	{
611	int rc = VMXReadVmcs32(VMX_VMCS32_CTRL_ENTRY_EXCEPTION_ERRCODE, &pVmxTransient->uEntryXcptErrorCode);
612	AssertRCReturn(rc, rc);
613	return VINF_SUCCESS;
614	}
615
616
617	/**
618	* Reads the VM-entry exception error code field from the VMCS into
619	* the VMX transient structure.
620	*
621	* @returns VBox status code.
622	* @param pVmxTransient Pointer to the VMX transient structure.
623	*
624	* @remarks No-long-jump zone!!!
625	*/
626	DECLINLINE(int) hmR0VmxReadEntryInstrLenVmcs(PVMXTRANSIENT pVmxTransient)
627	{
628	int rc = VMXReadVmcs32(VMX_VMCS32_CTRL_ENTRY_INSTR_LENGTH, &pVmxTransient->cbEntryInstr);
629	AssertRCReturn(rc, rc);
630	return VINF_SUCCESS;
631	}
632
633
634	/**
635	* Reads the VM-exit interruption-information field from the VMCS into the VMX
636	* transient structure.
637	*
638	* @returns VBox status code.
639	* @param pVmxTransient Pointer to the VMX transient structure.
640	*/
641	DECLINLINE(int) hmR0VmxReadExitIntInfoVmcs(PVMXTRANSIENT pVmxTransient)
642	{
643	if (!(pVmxTransient->fVmcsFieldsRead & HMVMX_UPDATED_TRANSIENT_EXIT_INTERRUPTION_INFO))
644	{
645	int rc = VMXReadVmcs32(VMX_VMCS32_RO_EXIT_INTERRUPTION_INFO, &pVmxTransient->uExitIntInfo);
646	AssertRCReturn(rc, rc);
647	pVmxTransient->fVmcsFieldsRead \|= HMVMX_UPDATED_TRANSIENT_EXIT_INTERRUPTION_INFO;
648	}
649	return VINF_SUCCESS;
650	}
651
652
653	/**
654	* Reads the VM-exit interruption error code from the VMCS into the VMX
655	* transient structure.
656	*
657	* @returns VBox status code.
658	* @param pVmxTransient Pointer to the VMX transient structure.
659	*/
660	DECLINLINE(int) hmR0VmxReadExitIntErrorCodeVmcs(PVMXTRANSIENT pVmxTransient)
661	{
662	if (!(pVmxTransient->fVmcsFieldsRead & HMVMX_UPDATED_TRANSIENT_EXIT_INTERRUPTION_ERROR_CODE))
663	{
664	int rc = VMXReadVmcs32(VMX_VMCS32_RO_EXIT_INTERRUPTION_ERROR_CODE, &pVmxTransient->uExitIntErrorCode);
665	AssertRCReturn(rc, rc);
666	pVmxTransient->fVmcsFieldsRead \|= HMVMX_UPDATED_TRANSIENT_EXIT_INTERRUPTION_ERROR_CODE;
667	}
668	return VINF_SUCCESS;
669	}
670
671
672	/**
673	* Reads the VM-exit instruction length field from the VMCS into the VMX
674	* transient structure.
675	*
676	* @returns VBox status code.
677	* @param pVmxTransient Pointer to the VMX transient structure.
678	*/
679	DECLINLINE(int) hmR0VmxReadExitInstrLenVmcs(PVMXTRANSIENT pVmxTransient)
680	{
681	if (!(pVmxTransient->fVmcsFieldsRead & HMVMX_UPDATED_TRANSIENT_EXIT_INSTR_LEN))
682	{
683	int rc = VMXReadVmcs32(VMX_VMCS32_RO_EXIT_INSTR_LENGTH, &pVmxTransient->cbInstr);
684	AssertRCReturn(rc, rc);
685	pVmxTransient->fVmcsFieldsRead \|= HMVMX_UPDATED_TRANSIENT_EXIT_INSTR_LEN;
686	}
687	return VINF_SUCCESS;
688	}
689
690
691	/**
692	* Reads the VM-exit instruction-information field from the VMCS into
693	* the VMX transient structure.
694	*
695	* @returns VBox status code.
696	* @param pVmxTransient Pointer to the VMX transient structure.
697	*/
698	DECLINLINE(int) hmR0VmxReadExitInstrInfoVmcs(PVMXTRANSIENT pVmxTransient)
699	{
700	if (!(pVmxTransient->fVmcsFieldsRead & HMVMX_UPDATED_TRANSIENT_EXIT_INSTR_INFO))
701	{
702	int rc = VMXReadVmcs32(VMX_VMCS32_RO_EXIT_INSTR_INFO, &pVmxTransient->ExitInstrInfo.u);
703	AssertRCReturn(rc, rc);
704	pVmxTransient->fVmcsFieldsRead \|= HMVMX_UPDATED_TRANSIENT_EXIT_INSTR_INFO;
705	}
706	return VINF_SUCCESS;
707	}
708
709
710	/**
711	* Reads the exit code qualification from the VMCS into the VMX transient
712	* structure.
713	*
714	* @returns VBox status code.
715	* @param pVCpu The cross context virtual CPU structure of the
716	* calling EMT. (Required for the VMCS cache case.)
717	* @param pVmxTransient Pointer to the VMX transient structure.
718	*/
719	DECLINLINE(int) hmR0VmxReadExitQualificationVmcs(PVMCPU pVCpu, PVMXTRANSIENT pVmxTransient)
720	{
721	if (!(pVmxTransient->fVmcsFieldsRead & HMVMX_UPDATED_TRANSIENT_EXIT_QUALIFICATION))
722	{
723	int rc = VMXReadVmcsGstN(VMX_VMCS_RO_EXIT_QUALIFICATION, &pVmxTransient->uExitQualification); NOREF(pVCpu);
724	AssertRCReturn(rc, rc);
725	pVmxTransient->fVmcsFieldsRead \|= HMVMX_UPDATED_TRANSIENT_EXIT_QUALIFICATION;
726	}
727	return VINF_SUCCESS;
728	}
729
730
731	/**
732	* Reads the IDT-vectoring information field from the VMCS into the VMX
733	* transient structure.
734	*
735	* @returns VBox status code.
736	* @param pVmxTransient Pointer to the VMX transient structure.
737	*
738	* @remarks No-long-jump zone!!!
739	*/
740	DECLINLINE(int) hmR0VmxReadIdtVectoringInfoVmcs(PVMXTRANSIENT pVmxTransient)
741	{
742	if (!(pVmxTransient->fVmcsFieldsRead & HMVMX_UPDATED_TRANSIENT_IDT_VECTORING_INFO))
743	{
744	int rc = VMXReadVmcs32(VMX_VMCS32_RO_IDT_INFO, &pVmxTransient->uIdtVectoringInfo);
745	AssertRCReturn(rc, rc);
746	pVmxTransient->fVmcsFieldsRead \|= HMVMX_UPDATED_TRANSIENT_IDT_VECTORING_INFO;
747	}
748	return VINF_SUCCESS;
749	}
750
751
752	/**
753	* Reads the IDT-vectoring error code from the VMCS into the VMX
754	* transient structure.
755	*
756	* @returns VBox status code.
757	* @param pVmxTransient Pointer to the VMX transient structure.
758	*/
759	DECLINLINE(int) hmR0VmxReadIdtVectoringErrorCodeVmcs(PVMXTRANSIENT pVmxTransient)
760	{
761	if (!(pVmxTransient->fVmcsFieldsRead & HMVMX_UPDATED_TRANSIENT_IDT_VECTORING_ERROR_CODE))
762	{
763	int rc = VMXReadVmcs32(VMX_VMCS32_RO_IDT_ERROR_CODE, &pVmxTransient->uIdtVectoringErrorCode);
764	AssertRCReturn(rc, rc);
765	pVmxTransient->fVmcsFieldsRead \|= HMVMX_UPDATED_TRANSIENT_IDT_VECTORING_ERROR_CODE;
766	}
767	return VINF_SUCCESS;
768	}
769
770
771	/**
772	* Enters VMX root mode operation on the current CPU.
773	*
774	* @returns VBox status code.
775	* @param pVM The cross context VM structure. Can be
776	* NULL, after a resume.
777	* @param HCPhysCpuPage Physical address of the VMXON region.
778	* @param pvCpuPage Pointer to the VMXON region.
779	*/
780	static int hmR0VmxEnterRootMode(PVM pVM, RTHCPHYS HCPhysCpuPage, void *pvCpuPage)
781	{
782	Assert(HCPhysCpuPage && HCPhysCpuPage != NIL_RTHCPHYS);
783	Assert(RT_ALIGN_T(HCPhysCpuPage, _4K, RTHCPHYS) == HCPhysCpuPage);
784	Assert(pvCpuPage);
785	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
786
787	if (pVM)
788	{
789	/* Write the VMCS revision dword to the VMXON region. */
790	(uint32_t )pvCpuPage = MSR_IA32_VMX_BASIC_INFO_VMCS_ID(pVM->hm.s.vmx.Msrs.u64BasicInfo);
791	}
792
793	/* Paranoid: Disable interrupts as, in theory, interrupt handlers might mess with CR4. */
794	RTCCUINTREG fEFlags = ASMIntDisableFlags();
795
796	/* Enable the VMX bit in CR4 if necessary. */
797	RTCCUINTREG uOldCr4 = SUPR0ChangeCR4(X86_CR4_VMXE, ~0);
798
799	/* Enter VMX root mode. */
800	int rc = VMXEnable(HCPhysCpuPage);
801	if (RT_FAILURE(rc))
802	{
803	if (!(uOldCr4 & X86_CR4_VMXE))
804	SUPR0ChangeCR4(0, ~X86_CR4_VMXE);
805
806	if (pVM)
807	pVM->hm.s.vmx.HCPhysVmxEnableError = HCPhysCpuPage;
808	}
809
810	/* Restore interrupts. */
811	ASMSetFlags(fEFlags);
812	return rc;
813	}
814
815
816	/**
817	* Exits VMX root mode operation on the current CPU.
818	*
819	* @returns VBox status code.
820	*/
821	static int hmR0VmxLeaveRootMode(void)
822	{
823	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
824
825	/* Paranoid: Disable interrupts as, in theory, interrupts handlers might mess with CR4. */
826	RTCCUINTREG fEFlags = ASMIntDisableFlags();
827
828	/* If we're for some reason not in VMX root mode, then don't leave it. */
829	RTCCUINTREG uHostCR4 = ASMGetCR4();
830
831	int rc;
832	if (uHostCR4 & X86_CR4_VMXE)
833	{
834	/* Exit VMX root mode and clear the VMX bit in CR4. */
835	VMXDisable();
836	SUPR0ChangeCR4(0, ~X86_CR4_VMXE);
837	rc = VINF_SUCCESS;
838	}
839	else
840	rc = VERR_VMX_NOT_IN_VMX_ROOT_MODE;
841
842	/* Restore interrupts. */
843	ASMSetFlags(fEFlags);
844	return rc;
845	}
846
847
848	/**
849	* Allocates and maps one physically contiguous page. The allocated page is
850	* zero'd out. (Used by various VT-x structures).
851	*
852	* @returns IPRT status code.
853	* @param pMemObj Pointer to the ring-0 memory object.
854	* @param ppVirt Where to store the virtual address of the
855	* allocation.
856	* @param pHCPhys Where to store the physical address of the
857	* allocation.
858	*/
859	DECLINLINE(int) hmR0VmxPageAllocZ(PRTR0MEMOBJ pMemObj, PRTR0PTR ppVirt, PRTHCPHYS pHCPhys)
860	{
861	AssertPtrReturn(pMemObj, VERR_INVALID_PARAMETER);
862	AssertPtrReturn(ppVirt, VERR_INVALID_PARAMETER);
863	AssertPtrReturn(pHCPhys, VERR_INVALID_PARAMETER);
864
865	int rc = RTR0MemObjAllocCont(pMemObj, PAGE_SIZE, false /* fExecutable */);
866	if (RT_FAILURE(rc))
867	return rc;
868	ppVirt = RTR0MemObjAddress(pMemObj);
869	pHCPhys = RTR0MemObjGetPagePhysAddr(pMemObj, 0 /* iPage */);
870	ASMMemZero32(*ppVirt, PAGE_SIZE);
871	return VINF_SUCCESS;
872	}
873
874
875	/**
876	* Frees and unmaps an allocated physical page.
877	*
878	* @param pMemObj Pointer to the ring-0 memory object.
879	* @param ppVirt Where to re-initialize the virtual address of
880	* allocation as 0.
881	* @param pHCPhys Where to re-initialize the physical address of the
882	* allocation as 0.
883	*/
884	DECLINLINE(void) hmR0VmxPageFree(PRTR0MEMOBJ pMemObj, PRTR0PTR ppVirt, PRTHCPHYS pHCPhys)
885	{
886	AssertPtr(pMemObj);
887	AssertPtr(ppVirt);
888	AssertPtr(pHCPhys);
889	if (*pMemObj != NIL_RTR0MEMOBJ)
890	{
891	int rc = RTR0MemObjFree(pMemObj, true / fFreeMappings */);
892	AssertRC(rc);
893	*pMemObj = NIL_RTR0MEMOBJ;
894	*ppVirt = 0;
895	*pHCPhys = 0;
896	}
897	}
898
899
900	/**
901	* Worker function to free VT-x related structures.
902	*
903	* @returns IPRT status code.
904	* @param pVM The cross context VM structure.
905	*/
906	static void hmR0VmxStructsFree(PVM pVM)
907	{
908	for (VMCPUID i = 0; i < pVM->cCpus; i++)
909	{
910	PVMCPU pVCpu = &pVM->aCpus[i];
911	AssertPtr(pVCpu);
912
913	hmR0VmxPageFree(&pVCpu->hm.s.vmx.hMemObjHostMsr, &pVCpu->hm.s.vmx.pvHostMsr, &pVCpu->hm.s.vmx.HCPhysHostMsr);
914	hmR0VmxPageFree(&pVCpu->hm.s.vmx.hMemObjGuestMsr, &pVCpu->hm.s.vmx.pvGuestMsr, &pVCpu->hm.s.vmx.HCPhysGuestMsr);
915
916	if (pVM->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS)
917	hmR0VmxPageFree(&pVCpu->hm.s.vmx.hMemObjMsrBitmap, &pVCpu->hm.s.vmx.pvMsrBitmap, &pVCpu->hm.s.vmx.HCPhysMsrBitmap);
918
919	hmR0VmxPageFree(&pVCpu->hm.s.vmx.hMemObjVirtApic, (PRTR0PTR)&pVCpu->hm.s.vmx.pbVirtApic, &pVCpu->hm.s.vmx.HCPhysVirtApic);
920	hmR0VmxPageFree(&pVCpu->hm.s.vmx.hMemObjVmcs, &pVCpu->hm.s.vmx.pvVmcs, &pVCpu->hm.s.vmx.HCPhysVmcs);
921	}
922
923	hmR0VmxPageFree(&pVM->hm.s.vmx.hMemObjApicAccess, (PRTR0PTR)&pVM->hm.s.vmx.pbApicAccess, &pVM->hm.s.vmx.HCPhysApicAccess);
924	#ifdef VBOX_WITH_CRASHDUMP_MAGIC
925	hmR0VmxPageFree(&pVM->hm.s.vmx.hMemObjScratch, &pVM->hm.s.vmx.pbScratch, &pVM->hm.s.vmx.HCPhysScratch);
926	#endif
927	}
928
929
930	/**
931	* Worker function to allocate VT-x related VM structures.
932	*
933	* @returns IPRT status code.
934	* @param pVM The cross context VM structure.
935	*/
936	static int hmR0VmxStructsAlloc(PVM pVM)
937	{
938	/*
939	* Initialize members up-front so we can cleanup properly on allocation failure.
940	*/
941	#define VMXLOCAL_INIT_VM_MEMOBJ(a_Name, a_VirtPrefix) \
942	pVM->hm.s.vmx.hMemObj##a_Name = NIL_RTR0MEMOBJ; \
943	pVM->hm.s.vmx.a_VirtPrefix##a_Name = 0; \
944	pVM->hm.s.vmx.HCPhys##a_Name = 0;
945
946	#define VMXLOCAL_INIT_VMCPU_MEMOBJ(a_Name, a_VirtPrefix) \
947	pVCpu->hm.s.vmx.hMemObj##a_Name = NIL_RTR0MEMOBJ; \
948	pVCpu->hm.s.vmx.a_VirtPrefix##a_Name = 0; \
949	pVCpu->hm.s.vmx.HCPhys##a_Name = 0;
950
951	#ifdef VBOX_WITH_CRASHDUMP_MAGIC
952	VMXLOCAL_INIT_VM_MEMOBJ(Scratch, pv);
953	#endif
954	VMXLOCAL_INIT_VM_MEMOBJ(ApicAccess, pb);
955
956	AssertCompile(sizeof(VMCPUID) == sizeof(pVM->cCpus));
957	for (VMCPUID i = 0; i < pVM->cCpus; i++)
958	{
959	PVMCPU pVCpu = &pVM->aCpus[i];
960	VMXLOCAL_INIT_VMCPU_MEMOBJ(Vmcs, pv);
961	VMXLOCAL_INIT_VMCPU_MEMOBJ(VirtApic, pb);
962	VMXLOCAL_INIT_VMCPU_MEMOBJ(MsrBitmap, pv);
963	VMXLOCAL_INIT_VMCPU_MEMOBJ(GuestMsr, pv);
964	VMXLOCAL_INIT_VMCPU_MEMOBJ(HostMsr, pv);
965	}
966	#undef VMXLOCAL_INIT_VMCPU_MEMOBJ
967	#undef VMXLOCAL_INIT_VM_MEMOBJ
968
969	/* The VMCS size cannot be more than 4096 bytes. See Intel spec. Appendix A.1 "Basic VMX Information". */
970	AssertReturnStmt(MSR_IA32_VMX_BASIC_INFO_VMCS_SIZE(pVM->hm.s.vmx.Msrs.u64BasicInfo) <= PAGE_SIZE,
971	(&pVM->aCpus[0])->hm.s.u32HMError = VMX_UFC_INVALID_VMCS_SIZE,
972	VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO);
973
974	/*
975	* Allocate all the VT-x structures.
976	*/
977	int rc = VINF_SUCCESS;
978	#ifdef VBOX_WITH_CRASHDUMP_MAGIC
979	rc = hmR0VmxPageAllocZ(&pVM->hm.s.vmx.hMemObjScratch, &pVM->hm.s.vmx.pbScratch, &pVM->hm.s.vmx.HCPhysScratch);
980	if (RT_FAILURE(rc))
981	goto cleanup;
982	strcpy((char *)pVM->hm.s.vmx.pbScratch, "SCRATCH Magic");
983	(uint64_t )(pVM->hm.s.vmx.pbScratch + 16) = UINT64_C(0xdeadbeefdeadbeef);
984	#endif
985
986	/* Allocate the APIC-access page for trapping APIC accesses from the guest. */
987	if (pVM->hm.s.vmx.Msrs.VmxProcCtls2.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC2_VIRT_APIC)
988	{
989	rc = hmR0VmxPageAllocZ(&pVM->hm.s.vmx.hMemObjApicAccess, (PRTR0PTR)&pVM->hm.s.vmx.pbApicAccess,
990	&pVM->hm.s.vmx.HCPhysApicAccess);
991	if (RT_FAILURE(rc))
992	goto cleanup;
993	}
994
995	/*
996	* Initialize per-VCPU VT-x structures.
997	*/
998	for (VMCPUID i = 0; i < pVM->cCpus; i++)
999	{
1000	PVMCPU pVCpu = &pVM->aCpus[i];
1001	AssertPtr(pVCpu);
1002
1003	/* Allocate the VM control structure (VMCS). */
1004	rc = hmR0VmxPageAllocZ(&pVCpu->hm.s.vmx.hMemObjVmcs, &pVCpu->hm.s.vmx.pvVmcs, &pVCpu->hm.s.vmx.HCPhysVmcs);
1005	if (RT_FAILURE(rc))
1006	goto cleanup;
1007
1008	/* Allocate the Virtual-APIC page for transparent TPR accesses. */
1009	if (pVM->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC_USE_TPR_SHADOW)
1010	{
1011	rc = hmR0VmxPageAllocZ(&pVCpu->hm.s.vmx.hMemObjVirtApic, (PRTR0PTR)&pVCpu->hm.s.vmx.pbVirtApic,
1012	&pVCpu->hm.s.vmx.HCPhysVirtApic);
1013	if (RT_FAILURE(rc))
1014	goto cleanup;
1015	}
1016
1017	/*
1018	* Allocate the MSR-bitmap if supported by the CPU. The MSR-bitmap is for
1019	* transparent accesses of specific MSRs.
1020	*
1021	* If the condition for enabling MSR bitmaps changes here, don't forget to
1022	* update HMAreMsrBitmapsAvailable().
1023	*/
1024	if (pVM->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS)
1025	{
1026	rc = hmR0VmxPageAllocZ(&pVCpu->hm.s.vmx.hMemObjMsrBitmap, &pVCpu->hm.s.vmx.pvMsrBitmap,
1027	&pVCpu->hm.s.vmx.HCPhysMsrBitmap);
1028	if (RT_FAILURE(rc))
1029	goto cleanup;
1030	ASMMemFill32(pVCpu->hm.s.vmx.pvMsrBitmap, PAGE_SIZE, UINT32_C(0xffffffff));
1031	}
1032
1033	/* Allocate the VM-entry MSR-load and VM-exit MSR-store page for the guest MSRs. */
1034	rc = hmR0VmxPageAllocZ(&pVCpu->hm.s.vmx.hMemObjGuestMsr, &pVCpu->hm.s.vmx.pvGuestMsr, &pVCpu->hm.s.vmx.HCPhysGuestMsr);
1035	if (RT_FAILURE(rc))
1036	goto cleanup;
1037
1038	/* Allocate the VM-exit MSR-load page for the host MSRs. */
1039	rc = hmR0VmxPageAllocZ(&pVCpu->hm.s.vmx.hMemObjHostMsr, &pVCpu->hm.s.vmx.pvHostMsr, &pVCpu->hm.s.vmx.HCPhysHostMsr);
1040	if (RT_FAILURE(rc))
1041	goto cleanup;
1042	}
1043
1044	return VINF_SUCCESS;
1045
1046	cleanup:
1047	hmR0VmxStructsFree(pVM);
1048	return rc;
1049	}
1050
1051
1052	/**
1053	* Does global VT-x initialization (called during module initialization).
1054	*
1055	* @returns VBox status code.
1056	*/
1057	VMMR0DECL(int) VMXR0GlobalInit(void)
1058	{
1059	#ifdef HMVMX_USE_FUNCTION_TABLE
1060	AssertCompile(VMX_EXIT_MAX + 1 == RT_ELEMENTS(g_apfnVMExitHandlers));
1061	# ifdef VBOX_STRICT
1062	for (unsigned i = 0; i < RT_ELEMENTS(g_apfnVMExitHandlers); i++)
1063	Assert(g_apfnVMExitHandlers[i]);
1064	# endif
1065	#endif
1066	return VINF_SUCCESS;
1067	}
1068
1069
1070	/**
1071	* Does global VT-x termination (called during module termination).
1072	*/
1073	VMMR0DECL(void) VMXR0GlobalTerm()
1074	{
1075	/* Nothing to do currently. */
1076	}
1077
1078
1079	/**
1080	* Sets up and activates VT-x on the current CPU.
1081	*
1082	* @returns VBox status code.
1083	* @param pCpu Pointer to the global CPU info struct.
1084	* @param pVM The cross context VM structure. Can be
1085	* NULL after a host resume operation.
1086	* @param pvCpuPage Pointer to the VMXON region (can be NULL if @a
1087	* fEnabledByHost is @c true).
1088	* @param HCPhysCpuPage Physical address of the VMXON region (can be 0 if
1089	* @a fEnabledByHost is @c true).
1090	* @param fEnabledByHost Set if SUPR0EnableVTx() or similar was used to
1091	* enable VT-x on the host.
1092	* @param pvMsrs Opaque pointer to VMXMSRS struct.
1093	*/
1094	VMMR0DECL(int) VMXR0EnableCpu(PHMGLOBALCPUINFO pCpu, PVM pVM, void *pvCpuPage, RTHCPHYS HCPhysCpuPage, bool fEnabledByHost,
1095	void *pvMsrs)
1096	{
1097	Assert(pCpu);
1098	Assert(pvMsrs);
1099	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
1100
1101	/* Enable VT-x if it's not already enabled by the host. */
1102	if (!fEnabledByHost)
1103	{
1104	int rc = hmR0VmxEnterRootMode(pVM, HCPhysCpuPage, pvCpuPage);
1105	if (RT_FAILURE(rc))
1106	return rc;
1107	}
1108
1109	/*
1110	* Flush all EPT tagged-TLB entries (in case VirtualBox or any other hypervisor have been using EPTPs) so
1111	* we don't retain any stale guest-physical mappings which won't get invalidated when flushing by VPID.
1112	*/
1113	PVMXMSRS pMsrs = (PVMXMSRS)pvMsrs;
1114	if (pMsrs->u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVEPT_ALL_CONTEXTS)
1115	{
1116	hmR0VmxFlushEpt(NULL /* pVCpu */, VMXFLUSHEPT_ALL_CONTEXTS);
1117	pCpu->fFlushAsidBeforeUse = false;
1118	}
1119	else
1120	pCpu->fFlushAsidBeforeUse = true;
1121
1122	/* Ensure each VCPU scheduled on this CPU gets a new VPID on resume. See @bugref{6255}. */
1123	++pCpu->cTlbFlushes;
1124
1125	return VINF_SUCCESS;
1126	}
1127
1128
1129	/**
1130	* Deactivates VT-x on the current CPU.
1131	*
1132	* @returns VBox status code.
1133	* @param pCpu Pointer to the global CPU info struct.
1134	* @param pvCpuPage Pointer to the VMXON region.
1135	* @param HCPhysCpuPage Physical address of the VMXON region.
1136	*
1137	* @remarks This function should never be called when SUPR0EnableVTx() or
1138	* similar was used to enable VT-x on the host.
1139	*/
1140	VMMR0DECL(int) VMXR0DisableCpu(PHMGLOBALCPUINFO pCpu, void *pvCpuPage, RTHCPHYS HCPhysCpuPage)
1141	{
1142	NOREF(pCpu);
1143	NOREF(pvCpuPage);
1144	NOREF(HCPhysCpuPage);
1145
1146	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
1147	return hmR0VmxLeaveRootMode();
1148	}
1149
1150
1151	/**
1152	* Sets the permission bits for the specified MSR in the MSR bitmap.
1153	*
1154	* @param pVCpu The cross context virtual CPU structure.
1155	* @param uMsr The MSR value.
1156	* @param enmRead Whether reading this MSR causes a VM-exit.
1157	* @param enmWrite Whether writing this MSR causes a VM-exit.
1158	*/
1159	static void hmR0VmxSetMsrPermission(PVMCPU pVCpu, uint32_t uMsr, VMXMSREXITREAD enmRead, VMXMSREXITWRITE enmWrite)
1160	{
1161	int32_t iBit;
1162	uint8_t pbMsrBitmap = (uint8_t )pVCpu->hm.s.vmx.pvMsrBitmap;
1163
1164	/*
1165	* Layout:
1166	* 0x000 - 0x3ff - Low MSR read bits
1167	* 0x400 - 0x7ff - High MSR read bits
1168	* 0x800 - 0xbff - Low MSR write bits
1169	* 0xc00 - 0xfff - High MSR write bits
1170	*/
1171	if (uMsr <= 0x00001FFF)
1172	iBit = uMsr;
1173	else if (uMsr - UINT32_C(0xC0000000) <= UINT32_C(0x00001FFF))
1174	{
1175	iBit = uMsr - UINT32_C(0xC0000000);
1176	pbMsrBitmap += 0x400;
1177	}
1178	else
1179	AssertMsgFailedReturnVoid(("hmR0VmxSetMsrPermission: Invalid MSR %#RX32\n", uMsr));
1180
1181	Assert(iBit <= 0x1fff);
1182	if (enmRead == VMXMSREXIT_INTERCEPT_READ)
1183	ASMBitSet(pbMsrBitmap, iBit);
1184	else
1185	ASMBitClear(pbMsrBitmap, iBit);
1186
1187	if (enmWrite == VMXMSREXIT_INTERCEPT_WRITE)
1188	ASMBitSet(pbMsrBitmap + 0x800, iBit);
1189	else
1190	ASMBitClear(pbMsrBitmap + 0x800, iBit);
1191	}
1192
1193
1194	#ifdef VBOX_STRICT
1195	/**
1196	* Gets the permission bits for the specified MSR in the MSR bitmap.
1197	*
1198	* @returns VBox status code.
1199	* @retval VINF_SUCCESS if the specified MSR is found.
1200	* @retval VERR_NOT_FOUND if the specified MSR is not found.
1201	* @retval VERR_NOT_SUPPORTED if VT-x doesn't allow the MSR.
1202	*
1203	* @param pVCpu The cross context virtual CPU structure.
1204	* @param uMsr The MSR.
1205	* @param penmRead Where to store the read permissions.
1206	* @param penmWrite Where to store the write permissions.
1207	*/
1208	static int hmR0VmxGetMsrPermission(PVMCPU pVCpu, uint32_t uMsr, PVMXMSREXITREAD penmRead, PVMXMSREXITWRITE penmWrite)
1209	{
1210	AssertPtrReturn(penmRead, VERR_INVALID_PARAMETER);
1211	AssertPtrReturn(penmWrite, VERR_INVALID_PARAMETER);
1212	int32_t iBit;
1213	uint8_t pbMsrBitmap = (uint8_t )pVCpu->hm.s.vmx.pvMsrBitmap;
1214
1215	/* See hmR0VmxSetMsrPermission() for the layout. */
1216	if (uMsr <= 0x00001FFF)
1217	iBit = uMsr;
1218	else if ( uMsr >= 0xC0000000
1219	&& uMsr <= 0xC0001FFF)
1220	{
1221	iBit = (uMsr - 0xC0000000);
1222	pbMsrBitmap += 0x400;
1223	}
1224	else
1225	AssertMsgFailedReturn(("hmR0VmxGetMsrPermission: Invalid MSR %#RX32\n", uMsr), VERR_NOT_SUPPORTED);
1226
1227	Assert(iBit <= 0x1fff);
1228	if (ASMBitTest(pbMsrBitmap, iBit))
1229	*penmRead = VMXMSREXIT_INTERCEPT_READ;
1230	else
1231	*penmRead = VMXMSREXIT_PASSTHRU_READ;
1232
1233	if (ASMBitTest(pbMsrBitmap + 0x800, iBit))
1234	*penmWrite = VMXMSREXIT_INTERCEPT_WRITE;
1235	else
1236	*penmWrite = VMXMSREXIT_PASSTHRU_WRITE;
1237	return VINF_SUCCESS;
1238	}
1239	#endif /* VBOX_STRICT */
1240
1241
1242	/**
1243	* Updates the VMCS with the number of effective MSRs in the auto-load/store MSR
1244	* area.
1245	*
1246	* @returns VBox status code.
1247	* @param pVCpu The cross context virtual CPU structure.
1248	* @param cMsrs The number of MSRs.
1249	*/
1250	DECLINLINE(int) hmR0VmxSetAutoLoadStoreMsrCount(PVMCPU pVCpu, uint32_t cMsrs)
1251	{
1252	/* Shouldn't ever happen but there -is- a number. We're well within the recommended 512. */
1253	uint32_t const cMaxSupportedMsrs = MSR_IA32_VMX_MISC_MAX_MSR(pVCpu->CTX_SUFF(pVM)->hm.s.vmx.Msrs.u64Misc);
1254	if (RT_UNLIKELY(cMsrs > cMaxSupportedMsrs))
1255	{
1256	LogRel(("CPU auto-load/store MSR count in VMCS exceeded cMsrs=%u Supported=%u.\n", cMsrs, cMaxSupportedMsrs));
1257	pVCpu->hm.s.u32HMError = VMX_UFC_INSUFFICIENT_GUEST_MSR_STORAGE;
1258	return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
1259	}
1260
1261	/* Update number of guest MSRs to load/store across the world-switch. */
1262	int rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_ENTRY_MSR_LOAD_COUNT, cMsrs);
1263	rc \|= VMXWriteVmcs32(VMX_VMCS32_CTRL_EXIT_MSR_STORE_COUNT, cMsrs);
1264
1265	/* Update number of host MSRs to load after the world-switch. Identical to guest-MSR count as it's always paired. */
1266	rc \|= VMXWriteVmcs32(VMX_VMCS32_CTRL_EXIT_MSR_LOAD_COUNT, cMsrs);
1267	AssertRCReturn(rc, rc);
1268
1269	/* Update the VCPU's copy of the MSR count. */
1270	pVCpu->hm.s.vmx.cMsrs = cMsrs;
1271
1272	return VINF_SUCCESS;
1273	}
1274
1275
1276	/**
1277	* Adds a new (or updates the value of an existing) guest/host MSR
1278	* pair to be swapped during the world-switch as part of the
1279	* auto-load/store MSR area in the VMCS.
1280	*
1281	* @returns VBox status code.
1282	* @param pVCpu The cross context virtual CPU structure.
1283	* @param uMsr The MSR.
1284	* @param uGuestMsrValue Value of the guest MSR.
1285	* @param fUpdateHostMsr Whether to update the value of the host MSR if
1286	* necessary.
1287	* @param pfAddedAndUpdated Where to store whether the MSR was added -and-
1288	* its value was updated. Optional, can be NULL.
1289	*/
1290	static int hmR0VmxAddAutoLoadStoreMsr(PVMCPU pVCpu, uint32_t uMsr, uint64_t uGuestMsrValue, bool fUpdateHostMsr,
1291	bool *pfAddedAndUpdated)
1292	{
1293	PVMXAUTOMSR pGuestMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvGuestMsr;
1294	uint32_t cMsrs = pVCpu->hm.s.vmx.cMsrs;
1295	uint32_t i;
1296	for (i = 0; i < cMsrs; i++)
1297	{
1298	if (pGuestMsr->u32Msr == uMsr)
1299	break;
1300	pGuestMsr++;
1301	}
1302
1303	bool fAdded = false;
1304	if (i == cMsrs)
1305	{
1306	++cMsrs;
1307	int rc = hmR0VmxSetAutoLoadStoreMsrCount(pVCpu, cMsrs);
1308	AssertMsgRCReturn(rc, ("hmR0VmxAddAutoLoadStoreMsr: Insufficient space to add MSR %u\n", uMsr), rc);
1309
1310	/* Now that we're swapping MSRs during the world-switch, allow the guest to read/write them without causing VM-exits. */
1311	if (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS)
1312	hmR0VmxSetMsrPermission(pVCpu, uMsr, VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
1313
1314	fAdded = true;
1315	}
1316
1317	/* Update the MSR values in the auto-load/store MSR area. */
1318	pGuestMsr->u32Msr = uMsr;
1319	pGuestMsr->u64Value = uGuestMsrValue;
1320
1321	/* Create/update the MSR slot in the host MSR area. */
1322	PVMXAUTOMSR pHostMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvHostMsr;
1323	pHostMsr += i;
1324	pHostMsr->u32Msr = uMsr;
1325
1326	/*
1327	* Update the host MSR only when requested by the caller AND when we're
1328	* adding it to the auto-load/store area. Otherwise, it would have been
1329	* updated by hmR0VmxSaveHostMsrs(). We do this for performance reasons.
1330	*/
1331	bool fUpdatedMsrValue = false;
1332	if ( fAdded
1333	&& fUpdateHostMsr)
1334	{
1335	Assert(!VMMRZCallRing3IsEnabled(pVCpu));
1336	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
1337	pHostMsr->u64Value = ASMRdMsr(pHostMsr->u32Msr);
1338	fUpdatedMsrValue = true;
1339	}
1340
1341	if (pfAddedAndUpdated)
1342	*pfAddedAndUpdated = fUpdatedMsrValue;
1343	return VINF_SUCCESS;
1344	}
1345
1346
1347	/**
1348	* Removes a guest/host MSR pair to be swapped during the world-switch from the
1349	* auto-load/store MSR area in the VMCS.
1350	*
1351	* @returns VBox status code.
1352	* @param pVCpu The cross context virtual CPU structure.
1353	* @param uMsr The MSR.
1354	*/
1355	static int hmR0VmxRemoveAutoLoadStoreMsr(PVMCPU pVCpu, uint32_t uMsr)
1356	{
1357	PVMXAUTOMSR pGuestMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvGuestMsr;
1358	uint32_t cMsrs = pVCpu->hm.s.vmx.cMsrs;
1359	for (uint32_t i = 0; i < cMsrs; i++)
1360	{
1361	/* Find the MSR. */
1362	if (pGuestMsr->u32Msr == uMsr)
1363	{
1364	/* If it's the last MSR, simply reduce the count. */
1365	if (i == cMsrs - 1)
1366	{
1367	--cMsrs;
1368	break;
1369	}
1370
1371	/* Remove it by swapping the last MSR in place of it, and reducing the count. */
1372	PVMXAUTOMSR pLastGuestMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvGuestMsr;
1373	pLastGuestMsr += cMsrs - 1;
1374	pGuestMsr->u32Msr = pLastGuestMsr->u32Msr;
1375	pGuestMsr->u64Value = pLastGuestMsr->u64Value;
1376
1377	PVMXAUTOMSR pHostMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvHostMsr;
1378	PVMXAUTOMSR pLastHostMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvHostMsr;
1379	pLastHostMsr += cMsrs - 1;
1380	pHostMsr->u32Msr = pLastHostMsr->u32Msr;
1381	pHostMsr->u64Value = pLastHostMsr->u64Value;
1382	--cMsrs;
1383	break;
1384	}
1385	pGuestMsr++;
1386	}
1387
1388	/* Update the VMCS if the count changed (meaning the MSR was found). */
1389	if (cMsrs != pVCpu->hm.s.vmx.cMsrs)
1390	{
1391	int rc = hmR0VmxSetAutoLoadStoreMsrCount(pVCpu, cMsrs);
1392	AssertRCReturn(rc, rc);
1393
1394	/* We're no longer swapping MSRs during the world-switch, intercept guest read/writes to them. */
1395	if (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS)
1396	hmR0VmxSetMsrPermission(pVCpu, uMsr, VMXMSREXIT_INTERCEPT_READ, VMXMSREXIT_INTERCEPT_WRITE);
1397
1398	Log4(("Removed MSR %#RX32 new cMsrs=%u\n", uMsr, pVCpu->hm.s.vmx.cMsrs));
1399	return VINF_SUCCESS;
1400	}
1401
1402	return VERR_NOT_FOUND;
1403	}
1404
1405
1406	/**
1407	* Checks if the specified guest MSR is part of the auto-load/store area in
1408	* the VMCS.
1409	*
1410	* @returns true if found, false otherwise.
1411	* @param pVCpu The cross context virtual CPU structure.
1412	* @param uMsr The MSR to find.
1413	*/
1414	static bool hmR0VmxIsAutoLoadStoreGuestMsr(PVMCPU pVCpu, uint32_t uMsr)
1415	{
1416	PVMXAUTOMSR pGuestMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvGuestMsr;
1417	uint32_t cMsrs = pVCpu->hm.s.vmx.cMsrs;
1418
1419	for (uint32_t i = 0; i < cMsrs; i++, pGuestMsr++)
1420	{
1421	if (pGuestMsr->u32Msr == uMsr)
1422	return true;
1423	}
1424	return false;
1425	}
1426
1427
1428	/**
1429	* Updates the value of all host MSRs in the auto-load/store area in the VMCS.
1430	*
1431	* @param pVCpu The cross context virtual CPU structure.
1432	*
1433	* @remarks No-long-jump zone!!!
1434	*/
1435	static void hmR0VmxUpdateAutoLoadStoreHostMsrs(PVMCPU pVCpu)
1436	{
1437	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
1438	PVMXAUTOMSR pHostMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvHostMsr;
1439	PVMXAUTOMSR pGuestMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvGuestMsr;
1440	uint32_t cMsrs = pVCpu->hm.s.vmx.cMsrs;
1441
1442	for (uint32_t i = 0; i < cMsrs; i++, pHostMsr++, pGuestMsr++)
1443	{
1444	AssertReturnVoid(pHostMsr->u32Msr == pGuestMsr->u32Msr);
1445
1446	/*
1447	* Performance hack for the host EFER MSR. We use the cached value rather than re-read it.
1448	* Strict builds will catch mismatches in hmR0VmxCheckAutoLoadStoreMsrs(). See @bugref{7368}.
1449	*/
1450	if (pHostMsr->u32Msr == MSR_K6_EFER)
1451	pHostMsr->u64Value = pVCpu->CTX_SUFF(pVM)->hm.s.vmx.u64HostEfer;
1452	else
1453	pHostMsr->u64Value = ASMRdMsr(pHostMsr->u32Msr);
1454	}
1455
1456	pVCpu->hm.s.vmx.fUpdatedHostMsrs = true;
1457	}
1458
1459
1460	/**
1461	* Saves a set of host MSRs to allow read/write passthru access to the guest and
1462	* perform lazy restoration of the host MSRs while leaving VT-x.
1463	*
1464	* @param pVCpu The cross context virtual CPU structure.
1465	*
1466	* @remarks No-long-jump zone!!!
1467	*/
1468	static void hmR0VmxLazySaveHostMsrs(PVMCPU pVCpu)
1469	{
1470	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
1471
1472	/*
1473	* Note: If you're adding MSRs here, make sure to update the MSR-bitmap permissions in hmR0VmxSetupProcCtls().
1474	*/
1475	Assert(!(pVCpu->hm.s.vmx.fLazyMsrs & VMX_LAZY_MSRS_LOADED_GUEST));
1476	if (!(pVCpu->hm.s.vmx.fLazyMsrs & VMX_LAZY_MSRS_SAVED_HOST))
1477	{
1478	#if HC_ARCH_BITS == 64
1479	if (pVCpu->CTX_SUFF(pVM)->hm.s.fAllow64BitGuests)
1480	{
1481	pVCpu->hm.s.vmx.u64HostLStarMsr = ASMRdMsr(MSR_K8_LSTAR);
1482	pVCpu->hm.s.vmx.u64HostStarMsr = ASMRdMsr(MSR_K6_STAR);
1483	pVCpu->hm.s.vmx.u64HostSFMaskMsr = ASMRdMsr(MSR_K8_SF_MASK);
1484	pVCpu->hm.s.vmx.u64HostKernelGSBaseMsr = ASMRdMsr(MSR_K8_KERNEL_GS_BASE);
1485	}
1486	#endif
1487	pVCpu->hm.s.vmx.fLazyMsrs \|= VMX_LAZY_MSRS_SAVED_HOST;
1488	}
1489	}
1490
1491
1492	/**
1493	* Checks whether the MSR belongs to the set of guest MSRs that we restore
1494	* lazily while leaving VT-x.
1495	*
1496	* @returns true if it does, false otherwise.
1497	* @param pVCpu The cross context virtual CPU structure.
1498	* @param uMsr The MSR to check.
1499	*/
1500	static bool hmR0VmxIsLazyGuestMsr(PVMCPU pVCpu, uint32_t uMsr)
1501	{
1502	NOREF(pVCpu);
1503	#if HC_ARCH_BITS == 64
1504	if (pVCpu->CTX_SUFF(pVM)->hm.s.fAllow64BitGuests)
1505	{
1506	switch (uMsr)
1507	{
1508	case MSR_K8_LSTAR:
1509	case MSR_K6_STAR:
1510	case MSR_K8_SF_MASK:
1511	case MSR_K8_KERNEL_GS_BASE:
1512	return true;
1513	}
1514	}
1515	#endif
1516	return false;
1517	}
1518
1519
1520	/**
1521	* Saves a set of guest MSRs back into the guest-CPU context.
1522	*
1523	* @param pVCpu The cross context virtual CPU structure.
1524	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
1525	* out-of-sync. Make sure to update the required fields
1526	* before using them.
1527	*
1528	* @remarks No-long-jump zone!!!
1529	*/
1530	static void hmR0VmxLazySaveGuestMsrs(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
1531	{
1532	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
1533	Assert(!VMMRZCallRing3IsEnabled(pVCpu));
1534
1535	if (pVCpu->hm.s.vmx.fLazyMsrs & VMX_LAZY_MSRS_LOADED_GUEST)
1536	{
1537	Assert(pVCpu->hm.s.vmx.fLazyMsrs & VMX_LAZY_MSRS_SAVED_HOST);
1538	#if HC_ARCH_BITS == 64
1539	if (pVCpu->CTX_SUFF(pVM)->hm.s.fAllow64BitGuests)
1540	{
1541	pMixedCtx->msrLSTAR = ASMRdMsr(MSR_K8_LSTAR);
1542	pMixedCtx->msrSTAR = ASMRdMsr(MSR_K6_STAR);
1543	pMixedCtx->msrSFMASK = ASMRdMsr(MSR_K8_SF_MASK);
1544	pMixedCtx->msrKERNELGSBASE = ASMRdMsr(MSR_K8_KERNEL_GS_BASE);
1545	}
1546	#endif
1547	}
1548	}
1549
1550
1551	/**
1552	* Loads a set of guests MSRs to allow read/passthru to the guest.
1553	*
1554	* The name of this function is slightly confusing. This function does NOT
1555	* postpone loading, but loads the MSR right now. "hmR0VmxLazy" is simply a
1556	* common prefix for functions dealing with "lazy restoration" of the shared
1557	* MSRs.
1558	*
1559	* @param pVCpu The cross context virtual CPU structure.
1560	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
1561	* out-of-sync. Make sure to update the required fields
1562	* before using them.
1563	*
1564	* @remarks No-long-jump zone!!!
1565	*/
1566	static void hmR0VmxLazyLoadGuestMsrs(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
1567	{
1568	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
1569	Assert(!VMMRZCallRing3IsEnabled(pVCpu));
1570
1571	#define VMXLOCAL_LAZY_LOAD_GUEST_MSR(uMsr, a_GuestMsr, a_HostMsr) \
1572	do { \
1573	if (pMixedCtx->msr##a_GuestMsr != pVCpu->hm.s.vmx.u64Host##a_HostMsr##Msr) \
1574	ASMWrMsr(uMsr, pMixedCtx->msr##a_GuestMsr); \
1575	else \
1576	Assert(ASMRdMsr(uMsr) == pVCpu->hm.s.vmx.u64Host##a_HostMsr##Msr); \
1577	} while (0)
1578
1579	Assert(pVCpu->hm.s.vmx.fLazyMsrs & VMX_LAZY_MSRS_SAVED_HOST);
1580	if (!(pVCpu->hm.s.vmx.fLazyMsrs & VMX_LAZY_MSRS_LOADED_GUEST))
1581	{
1582	#if HC_ARCH_BITS == 64
1583	if (pVCpu->CTX_SUFF(pVM)->hm.s.fAllow64BitGuests)
1584	{
1585	VMXLOCAL_LAZY_LOAD_GUEST_MSR(MSR_K8_LSTAR, LSTAR, LStar);
1586	VMXLOCAL_LAZY_LOAD_GUEST_MSR(MSR_K6_STAR, STAR, Star);
1587	VMXLOCAL_LAZY_LOAD_GUEST_MSR(MSR_K8_SF_MASK, SFMASK, SFMask);
1588	VMXLOCAL_LAZY_LOAD_GUEST_MSR(MSR_K8_KERNEL_GS_BASE, KERNELGSBASE, KernelGSBase);
1589	}
1590	#endif
1591	pVCpu->hm.s.vmx.fLazyMsrs \|= VMX_LAZY_MSRS_LOADED_GUEST;
1592	}
1593
1594	#undef VMXLOCAL_LAZY_LOAD_GUEST_MSR
1595	}
1596
1597
1598	/**
1599	* Performs lazy restoration of the set of host MSRs if they were previously
1600	* loaded with guest MSR values.
1601	*
1602	* @param pVCpu The cross context virtual CPU structure.
1603	*
1604	* @remarks No-long-jump zone!!!
1605	* @remarks The guest MSRs should have been saved back into the guest-CPU
1606	* context by hmR0VmxSaveGuestLazyMsrs()!!!
1607	*/
1608	static void hmR0VmxLazyRestoreHostMsrs(PVMCPU pVCpu)
1609	{
1610	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
1611	Assert(!VMMRZCallRing3IsEnabled(pVCpu));
1612
1613	if (pVCpu->hm.s.vmx.fLazyMsrs & VMX_LAZY_MSRS_LOADED_GUEST)
1614	{
1615	Assert(pVCpu->hm.s.vmx.fLazyMsrs & VMX_LAZY_MSRS_SAVED_HOST);
1616	#if HC_ARCH_BITS == 64
1617	if (pVCpu->CTX_SUFF(pVM)->hm.s.fAllow64BitGuests)
1618	{
1619	ASMWrMsr(MSR_K8_LSTAR, pVCpu->hm.s.vmx.u64HostLStarMsr);
1620	ASMWrMsr(MSR_K6_STAR, pVCpu->hm.s.vmx.u64HostStarMsr);
1621	ASMWrMsr(MSR_K8_SF_MASK, pVCpu->hm.s.vmx.u64HostSFMaskMsr);
1622	ASMWrMsr(MSR_K8_KERNEL_GS_BASE, pVCpu->hm.s.vmx.u64HostKernelGSBaseMsr);
1623	}
1624	#endif
1625	}
1626	pVCpu->hm.s.vmx.fLazyMsrs &= ~(VMX_LAZY_MSRS_LOADED_GUEST \| VMX_LAZY_MSRS_SAVED_HOST);
1627	}
1628
1629
1630	/**
1631	* Verifies that our cached values of the VMCS controls are all
1632	* consistent with what's actually present in the VMCS.
1633	*
1634	* @returns VBox status code.
1635	* @param pVCpu The cross context virtual CPU structure.
1636	*/
1637	static int hmR0VmxCheckVmcsCtls(PVMCPU pVCpu)
1638	{
1639	uint32_t u32Val;
1640	int rc = VMXReadVmcs32(VMX_VMCS32_CTRL_ENTRY, &u32Val);
1641	AssertRCReturn(rc, rc);
1642	AssertMsgReturn(pVCpu->hm.s.vmx.u32EntryCtls == u32Val, ("Cache=%#RX32 VMCS=%#RX32", pVCpu->hm.s.vmx.u32EntryCtls, u32Val),
1643	VERR_VMX_ENTRY_CTLS_CACHE_INVALID);
1644
1645	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_EXIT, &u32Val);
1646	AssertRCReturn(rc, rc);
1647	AssertMsgReturn(pVCpu->hm.s.vmx.u32ExitCtls == u32Val, ("Cache=%#RX32 VMCS=%#RX32", pVCpu->hm.s.vmx.u32ExitCtls, u32Val),
1648	VERR_VMX_EXIT_CTLS_CACHE_INVALID);
1649
1650	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_PIN_EXEC, &u32Val);
1651	AssertRCReturn(rc, rc);
1652	AssertMsgReturn(pVCpu->hm.s.vmx.u32PinCtls == u32Val, ("Cache=%#RX32 VMCS=%#RX32", pVCpu->hm.s.vmx.u32PinCtls, u32Val),
1653	VERR_VMX_PIN_EXEC_CTLS_CACHE_INVALID);
1654
1655	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, &u32Val);
1656	AssertRCReturn(rc, rc);
1657	AssertMsgReturn(pVCpu->hm.s.vmx.u32ProcCtls == u32Val, ("Cache=%#RX32 VMCS=%#RX32", pVCpu->hm.s.vmx.u32ProcCtls, u32Val),
1658	VERR_VMX_PROC_EXEC_CTLS_CACHE_INVALID);
1659
1660	if (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_SECONDARY_EXEC_CTRL)
1661	{
1662	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_PROC_EXEC2, &u32Val);
1663	AssertRCReturn(rc, rc);
1664	AssertMsgReturn(pVCpu->hm.s.vmx.u32ProcCtls2 == u32Val,
1665	("Cache=%#RX32 VMCS=%#RX32", pVCpu->hm.s.vmx.u32ProcCtls2, u32Val),
1666	VERR_VMX_PROC_EXEC2_CTLS_CACHE_INVALID);
1667	}
1668
1669	return VINF_SUCCESS;
1670	}
1671
1672
1673	#ifdef VBOX_STRICT
1674	/**
1675	* Verifies that our cached host EFER value has not changed
1676	* since we cached it.
1677	*
1678	* @param pVCpu The cross context virtual CPU structure.
1679	*/
1680	static void hmR0VmxCheckHostEferMsr(PVMCPU pVCpu)
1681	{
1682	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
1683
1684	if (pVCpu->hm.s.vmx.u32ExitCtls & VMX_VMCS_CTRL_EXIT_LOAD_HOST_EFER_MSR)
1685	{
1686	uint64_t u64Val;
1687	int rc = VMXReadVmcs64(VMX_VMCS64_HOST_EFER_FULL, &u64Val);
1688	AssertRC(rc);
1689
1690	uint64_t u64HostEferMsr = ASMRdMsr(MSR_K6_EFER);
1691	AssertMsgReturnVoid(u64HostEferMsr == u64Val, ("u64HostEferMsr=%#RX64 u64Val=%#RX64\n", u64HostEferMsr, u64Val));
1692	}
1693	}
1694
1695
1696	/**
1697	* Verifies whether the guest/host MSR pairs in the auto-load/store area in the
1698	* VMCS are correct.
1699	*
1700	* @param pVCpu The cross context virtual CPU structure.
1701	*/
1702	static void hmR0VmxCheckAutoLoadStoreMsrs(PVMCPU pVCpu)
1703	{
1704	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
1705
1706	/* Verify MSR counts in the VMCS are what we think it should be. */
1707	uint32_t cMsrs;
1708	int rc = VMXReadVmcs32(VMX_VMCS32_CTRL_ENTRY_MSR_LOAD_COUNT, &cMsrs); AssertRC(rc);
1709	Assert(cMsrs == pVCpu->hm.s.vmx.cMsrs);
1710
1711	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_EXIT_MSR_STORE_COUNT, &cMsrs); AssertRC(rc);
1712	Assert(cMsrs == pVCpu->hm.s.vmx.cMsrs);
1713
1714	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_EXIT_MSR_LOAD_COUNT, &cMsrs); AssertRC(rc);
1715	Assert(cMsrs == pVCpu->hm.s.vmx.cMsrs);
1716
1717	PVMXAUTOMSR pHostMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvHostMsr;
1718	PVMXAUTOMSR pGuestMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvGuestMsr;
1719	for (uint32_t i = 0; i < cMsrs; i++, pHostMsr++, pGuestMsr++)
1720	{
1721	/* Verify that the MSRs are paired properly and that the host MSR has the correct value. */
1722	AssertMsgReturnVoid(pHostMsr->u32Msr == pGuestMsr->u32Msr, ("HostMsr=%#RX32 GuestMsr=%#RX32 cMsrs=%u\n", pHostMsr->u32Msr,
1723	pGuestMsr->u32Msr, cMsrs));
1724
1725	uint64_t u64Msr = ASMRdMsr(pHostMsr->u32Msr);
1726	AssertMsgReturnVoid(pHostMsr->u64Value == u64Msr, ("u32Msr=%#RX32 VMCS Value=%#RX64 ASMRdMsr=%#RX64 cMsrs=%u\n",
1727	pHostMsr->u32Msr, pHostMsr->u64Value, u64Msr, cMsrs));
1728
1729	/* Verify that the permissions are as expected in the MSR bitmap. */
1730	if (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS)
1731	{
1732	VMXMSREXITREAD enmRead;
1733	VMXMSREXITWRITE enmWrite;
1734	rc = hmR0VmxGetMsrPermission(pVCpu, pGuestMsr->u32Msr, &enmRead, &enmWrite);
1735	AssertMsgReturnVoid(rc == VINF_SUCCESS, ("hmR0VmxGetMsrPermission! failed. rc=%Rrc\n", rc));
1736	if (pGuestMsr->u32Msr == MSR_K6_EFER)
1737	{
1738	AssertMsgReturnVoid(enmRead == VMXMSREXIT_INTERCEPT_READ, ("Passthru read for EFER!?\n"));
1739	AssertMsgReturnVoid(enmWrite == VMXMSREXIT_INTERCEPT_WRITE, ("Passthru write for EFER!?\n"));
1740	}
1741	else
1742	{
1743	AssertMsgReturnVoid(enmRead == VMXMSREXIT_PASSTHRU_READ, ("u32Msr=%#RX32 cMsrs=%u No passthru read!\n",
1744	pGuestMsr->u32Msr, cMsrs));
1745	AssertMsgReturnVoid(enmWrite == VMXMSREXIT_PASSTHRU_WRITE, ("u32Msr=%#RX32 cMsrs=%u No passthru write!\n",
1746	pGuestMsr->u32Msr, cMsrs));
1747	}
1748	}
1749	}
1750	}
1751	#endif /* VBOX_STRICT */
1752
1753
1754	/**
1755	* Flushes the TLB using EPT.
1756	*
1757	* @returns VBox status code.
1758	* @param pVCpu The cross context virtual CPU structure of the calling
1759	* EMT. Can be NULL depending on @a enmFlush.
1760	* @param enmFlush Type of flush.
1761	*
1762	* @remarks Caller is responsible for making sure this function is called only
1763	* when NestedPaging is supported and providing @a enmFlush that is
1764	* supported by the CPU.
1765	* @remarks Can be called with interrupts disabled.
1766	*/
1767	static void hmR0VmxFlushEpt(PVMCPU pVCpu, VMXFLUSHEPT enmFlush)
1768	{
1769	uint64_t au64Descriptor[2];
1770	if (enmFlush == VMXFLUSHEPT_ALL_CONTEXTS)
1771	au64Descriptor[0] = 0;
1772	else
1773	{
1774	Assert(pVCpu);
1775	au64Descriptor[0] = pVCpu->hm.s.vmx.HCPhysEPTP;
1776	}
1777	au64Descriptor[1] = 0; /* MBZ. Intel spec. 33.3 "VMX Instructions" */
1778
1779	int rc = VMXR0InvEPT(enmFlush, &au64Descriptor[0]);
1780	AssertMsg(rc == VINF_SUCCESS, ("VMXR0InvEPT %#x %RGv failed with %Rrc\n", enmFlush, pVCpu ? pVCpu->hm.s.vmx.HCPhysEPTP : 0,
1781	rc));
1782	if ( RT_SUCCESS(rc)
1783	&& pVCpu)
1784	{
1785	STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushNestedPaging);
1786	}
1787	}
1788
1789
1790	/**
1791	* Flushes the TLB using VPID.
1792	*
1793	* @returns VBox status code.
1794	* @param pVM The cross context VM structure.
1795	* @param pVCpu The cross context virtual CPU structure of the calling
1796	* EMT. Can be NULL depending on @a enmFlush.
1797	* @param enmFlush Type of flush.
1798	* @param GCPtr Virtual address of the page to flush (can be 0 depending
1799	* on @a enmFlush).
1800	*
1801	* @remarks Can be called with interrupts disabled.
1802	*/
1803	static void hmR0VmxFlushVpid(PVM pVM, PVMCPU pVCpu, VMXFLUSHVPID enmFlush, RTGCPTR GCPtr)
1804	{
1805	NOREF(pVM);
1806	AssertPtr(pVM);
1807	Assert(pVM->hm.s.vmx.fVpid);
1808
1809	uint64_t au64Descriptor[2];
1810	if (enmFlush == VMXFLUSHVPID_ALL_CONTEXTS)
1811	{
1812	au64Descriptor[0] = 0;
1813	au64Descriptor[1] = 0;
1814	}
1815	else
1816	{
1817	AssertPtr(pVCpu);
1818	AssertMsg(pVCpu->hm.s.uCurrentAsid != 0, ("VMXR0InvVPID: invalid ASID %lu\n", pVCpu->hm.s.uCurrentAsid));
1819	AssertMsg(pVCpu->hm.s.uCurrentAsid <= UINT16_MAX, ("VMXR0InvVPID: invalid ASID %lu\n", pVCpu->hm.s.uCurrentAsid));
1820	au64Descriptor[0] = pVCpu->hm.s.uCurrentAsid;
1821	au64Descriptor[1] = GCPtr;
1822	}
1823
1824	int rc = VMXR0InvVPID(enmFlush, &au64Descriptor[0]); NOREF(rc);
1825	AssertMsg(rc == VINF_SUCCESS,
1826	("VMXR0InvVPID %#x %u %RGv failed with %d\n", enmFlush, pVCpu ? pVCpu->hm.s.uCurrentAsid : 0, GCPtr, rc));
1827	if ( RT_SUCCESS(rc)
1828	&& pVCpu)
1829	{
1830	STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushAsid);
1831	}
1832	}
1833
1834
1835	/**
1836	* Invalidates a guest page by guest virtual address. Only relevant for
1837	* EPT/VPID, otherwise there is nothing really to invalidate.
1838	*
1839	* @returns VBox status code.
1840	* @param pVM The cross context VM structure.
1841	* @param pVCpu The cross context virtual CPU structure.
1842	* @param GCVirt Guest virtual address of the page to invalidate.
1843	*/
1844	VMMR0DECL(int) VMXR0InvalidatePage(PVM pVM, PVMCPU pVCpu, RTGCPTR GCVirt)
1845	{
1846	AssertPtr(pVM);
1847	AssertPtr(pVCpu);
1848	LogFlowFunc(("pVM=%p pVCpu=%p GCVirt=%RGv\n", pVM, pVCpu, GCVirt));
1849
1850	bool fFlushPending = VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_TLB_FLUSH);
1851	if (!fFlushPending)
1852	{
1853	/*
1854	* We must invalidate the guest TLB entry in either case, we cannot ignore it even for the EPT case
1855	* See @bugref{6043} and @bugref{6177}.
1856	*
1857	* Set the VMCPU_FF_TLB_FLUSH force flag and flush before VM-entry in hmR0VmxFlushTLB*() as this
1858	* function maybe called in a loop with individual addresses.
1859	*/
1860	if (pVM->hm.s.vmx.fVpid)
1861	{
1862	if (pVM->hm.s.vmx.Msrs.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVVPID_INDIV_ADDR)
1863	{
1864	hmR0VmxFlushVpid(pVM, pVCpu, VMXFLUSHVPID_INDIV_ADDR, GCVirt);
1865	STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlbInvlpgVirt);
1866	}
1867	else
1868	VMCPU_FF_SET(pVCpu, VMCPU_FF_TLB_FLUSH);
1869	}
1870	else if (pVM->hm.s.fNestedPaging)
1871	VMCPU_FF_SET(pVCpu, VMCPU_FF_TLB_FLUSH);
1872	}
1873
1874	return VINF_SUCCESS;
1875	}
1876
1877
1878	/**
1879	* Invalidates a guest page by physical address. Only relevant for EPT/VPID,
1880	* otherwise there is nothing really to invalidate.
1881	*
1882	* @returns VBox status code.
1883	* @param pVM The cross context VM structure.
1884	* @param pVCpu The cross context virtual CPU structure.
1885	* @param GCPhys Guest physical address of the page to invalidate.
1886	*/
1887	VMMR0DECL(int) VMXR0InvalidatePhysPage(PVM pVM, PVMCPU pVCpu, RTGCPHYS GCPhys)
1888	{
1889	NOREF(pVM); NOREF(GCPhys);
1890	LogFlowFunc(("%RGp\n", GCPhys));
1891
1892	/*
1893	* We cannot flush a page by guest-physical address. invvpid takes only a linear address while invept only flushes
1894	* by EPT not individual addresses. We update the force flag here and flush before the next VM-entry in hmR0VmxFlushTLB*().
1895	* This function might be called in a loop. This should cause a flush-by-EPT if EPT is in use. See @bugref{6568}.
1896	*/
1897	VMCPU_FF_SET(pVCpu, VMCPU_FF_TLB_FLUSH);
1898	STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlbInvlpgPhys);
1899	return VINF_SUCCESS;
1900	}
1901
1902
1903	/**
1904	* Dummy placeholder for tagged-TLB flush handling before VM-entry. Used in the
1905	* case where neither EPT nor VPID is supported by the CPU.
1906	*
1907	* @param pVM The cross context VM structure.
1908	* @param pVCpu The cross context virtual CPU structure.
1909	* @param pCpu Pointer to the global HM struct.
1910	*
1911	* @remarks Called with interrupts disabled.
1912	*/
1913	static void hmR0VmxFlushTaggedTlbNone(PVM pVM, PVMCPU pVCpu, PHMGLOBALCPUINFO pCpu)
1914	{
1915	AssertPtr(pVCpu);
1916	AssertPtr(pCpu);
1917	NOREF(pVM);
1918
1919	VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_TLB_FLUSH);
1920
1921	Assert(pCpu->idCpu != NIL_RTCPUID);
1922	pVCpu->hm.s.idLastCpu = pCpu->idCpu;
1923	pVCpu->hm.s.cTlbFlushes = pCpu->cTlbFlushes;
1924	pVCpu->hm.s.fForceTLBFlush = false;
1925	return;
1926	}
1927
1928
1929	/**
1930	* Flushes the tagged-TLB entries for EPT+VPID CPUs as necessary.
1931	*
1932	* @param pVM The cross context VM structure.
1933	* @param pVCpu The cross context virtual CPU structure.
1934	* @param pCpu Pointer to the global HM CPU struct.
1935	* @remarks All references to "ASID" in this function pertains to "VPID" in
1936	* Intel's nomenclature. The reason is, to avoid confusion in compare
1937	* statements since the host-CPU copies are named "ASID".
1938	*
1939	* @remarks Called with interrupts disabled.
1940	*/
1941	static void hmR0VmxFlushTaggedTlbBoth(PVM pVM, PVMCPU pVCpu, PHMGLOBALCPUINFO pCpu)
1942	{
1943	#ifdef VBOX_WITH_STATISTICS
1944	bool fTlbFlushed = false;
1945	# define HMVMX_SET_TAGGED_TLB_FLUSHED() do { fTlbFlushed = true; } while (0)
1946	# define HMVMX_UPDATE_FLUSH_SKIPPED_STAT() do { \
1947	if (!fTlbFlushed) \
1948	STAM_COUNTER_INC(&pVCpu->hm.s.StatNoFlushTlbWorldSwitch); \
1949	} while (0)
1950	#else
1951	# define HMVMX_SET_TAGGED_TLB_FLUSHED() do { } while (0)
1952	# define HMVMX_UPDATE_FLUSH_SKIPPED_STAT() do { } while (0)
1953	#endif
1954
1955	AssertPtr(pVM);
1956	AssertPtr(pCpu);
1957	AssertPtr(pVCpu);
1958	Assert(pCpu->idCpu != NIL_RTCPUID);
1959
1960	AssertMsg(pVM->hm.s.fNestedPaging && pVM->hm.s.vmx.fVpid,
1961	("hmR0VmxFlushTaggedTlbBoth cannot be invoked unless NestedPaging & VPID are enabled."
1962	"fNestedPaging=%RTbool fVpid=%RTbool", pVM->hm.s.fNestedPaging, pVM->hm.s.vmx.fVpid));
1963
1964	/*
1965	* Force a TLB flush for the first world-switch if the current CPU differs from the one we ran on last.
1966	* If the TLB flush count changed, another VM (VCPU rather) has hit the ASID limit while flushing the TLB
1967	* or the host CPU is online after a suspend/resume, so we cannot reuse the current ASID anymore.
1968	*/
1969	if ( pVCpu->hm.s.idLastCpu != pCpu->idCpu
1970	\|\| pVCpu->hm.s.cTlbFlushes != pCpu->cTlbFlushes)
1971	{
1972	++pCpu->uCurrentAsid;
1973	if (pCpu->uCurrentAsid >= pVM->hm.s.uMaxAsid)
1974	{
1975	pCpu->uCurrentAsid = 1; /* Wraparound to 1; host uses 0. */
1976	pCpu->cTlbFlushes++; /* All VCPUs that run on this host CPU must use a new VPID. */
1977	pCpu->fFlushAsidBeforeUse = true; /* All VCPUs that run on this host CPU must flush their new VPID before use. */
1978	}
1979
1980	pVCpu->hm.s.uCurrentAsid = pCpu->uCurrentAsid;
1981	pVCpu->hm.s.idLastCpu = pCpu->idCpu;
1982	pVCpu->hm.s.cTlbFlushes = pCpu->cTlbFlushes;
1983
1984	/*
1985	* Flush by EPT when we get rescheduled to a new host CPU to ensure EPT-only tagged mappings are also
1986	* invalidated. We don't need to flush-by-VPID here as flushing by EPT covers it. See @bugref{6568}.
1987	*/
1988	hmR0VmxFlushEpt(pVCpu, pVM->hm.s.vmx.enmFlushEpt);
1989	STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlbWorldSwitch);
1990	HMVMX_SET_TAGGED_TLB_FLUSHED();
1991	VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_TLB_FLUSH); /* Already flushed-by-EPT, skip doing it again below. */
1992	}
1993
1994	/* Check for explicit TLB flushes. */
1995	if (VMCPU_FF_TEST_AND_CLEAR(pVCpu, VMCPU_FF_TLB_FLUSH))
1996	{
1997	/*
1998	* Changes to the EPT paging structure by VMM requires flushing by EPT as the CPU creates
1999	* guest-physical (only EPT-tagged) mappings while traversing the EPT tables when EPT is in use.
2000	* Flushing by VPID will only flush linear (only VPID-tagged) and combined (EPT+VPID tagged) mappings
2001	* but not guest-physical mappings.
2002	* See Intel spec. 28.3.2 "Creating and Using Cached Translation Information". See @bugref{6568}.
2003	*/
2004	hmR0VmxFlushEpt(pVCpu, pVM->hm.s.vmx.enmFlushEpt);
2005	STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlb);
2006	HMVMX_SET_TAGGED_TLB_FLUSHED();
2007	}
2008
2009	pVCpu->hm.s.fForceTLBFlush = false;
2010	HMVMX_UPDATE_FLUSH_SKIPPED_STAT();
2011
2012	Assert(pVCpu->hm.s.idLastCpu == pCpu->idCpu);
2013	Assert(pVCpu->hm.s.cTlbFlushes == pCpu->cTlbFlushes);
2014	AssertMsg(pVCpu->hm.s.cTlbFlushes == pCpu->cTlbFlushes,
2015	("Flush count mismatch for cpu %d (%u vs %u)\n", pCpu->idCpu, pVCpu->hm.s.cTlbFlushes, pCpu->cTlbFlushes));
2016	AssertMsg(pCpu->uCurrentAsid >= 1 && pCpu->uCurrentAsid < pVM->hm.s.uMaxAsid,
2017	("Cpu[%u] uCurrentAsid=%u cTlbFlushes=%u pVCpu->idLastCpu=%u pVCpu->cTlbFlushes=%u\n", pCpu->idCpu,
2018	pCpu->uCurrentAsid, pCpu->cTlbFlushes, pVCpu->hm.s.idLastCpu, pVCpu->hm.s.cTlbFlushes));
2019	AssertMsg(pVCpu->hm.s.uCurrentAsid >= 1 && pVCpu->hm.s.uCurrentAsid < pVM->hm.s.uMaxAsid,
2020	("Cpu[%u] pVCpu->uCurrentAsid=%u\n", pCpu->idCpu, pVCpu->hm.s.uCurrentAsid));
2021
2022	/* Update VMCS with the VPID. */
2023	int rc = VMXWriteVmcs32(VMX_VMCS16_VPID, pVCpu->hm.s.uCurrentAsid);
2024	AssertRC(rc);
2025
2026	#undef HMVMX_SET_TAGGED_TLB_FLUSHED
2027	}
2028
2029
2030	/**
2031	* Flushes the tagged-TLB entries for EPT CPUs as necessary.
2032	*
2033	* @returns VBox status code.
2034	* @param pVM The cross context VM structure.
2035	* @param pVCpu The cross context virtual CPU structure.
2036	* @param pCpu Pointer to the global HM CPU struct.
2037	*
2038	* @remarks Called with interrupts disabled.
2039	*/
2040	static void hmR0VmxFlushTaggedTlbEpt(PVM pVM, PVMCPU pVCpu, PHMGLOBALCPUINFO pCpu)
2041	{
2042	AssertPtr(pVM);
2043	AssertPtr(pVCpu);
2044	AssertPtr(pCpu);
2045	Assert(pCpu->idCpu != NIL_RTCPUID);
2046	AssertMsg(pVM->hm.s.fNestedPaging, ("hmR0VmxFlushTaggedTlbEpt cannot be invoked with NestedPaging disabled."));
2047	AssertMsg(!pVM->hm.s.vmx.fVpid, ("hmR0VmxFlushTaggedTlbEpt cannot be invoked with VPID enabled."));
2048
2049	/*
2050	* Force a TLB flush for the first world-switch if the current CPU differs from the one we ran on last.
2051	* A change in the TLB flush count implies the host CPU is online after a suspend/resume.
2052	*/
2053	if ( pVCpu->hm.s.idLastCpu != pCpu->idCpu
2054	\|\| pVCpu->hm.s.cTlbFlushes != pCpu->cTlbFlushes)
2055	{
2056	pVCpu->hm.s.fForceTLBFlush = true;
2057	STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlbWorldSwitch);
2058	}
2059
2060	/* Check for explicit TLB flushes. */
2061	if (VMCPU_FF_TEST_AND_CLEAR(pVCpu, VMCPU_FF_TLB_FLUSH))
2062	{
2063	pVCpu->hm.s.fForceTLBFlush = true;
2064	STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlb);
2065	}
2066
2067	pVCpu->hm.s.idLastCpu = pCpu->idCpu;
2068	pVCpu->hm.s.cTlbFlushes = pCpu->cTlbFlushes;
2069
2070	if (pVCpu->hm.s.fForceTLBFlush)
2071	{
2072	hmR0VmxFlushEpt(pVCpu, pVM->hm.s.vmx.enmFlushEpt);
2073	pVCpu->hm.s.fForceTLBFlush = false;
2074	}
2075	}
2076
2077
2078	/**
2079	* Flushes the tagged-TLB entries for VPID CPUs as necessary.
2080	*
2081	* @returns VBox status code.
2082	* @param pVM The cross context VM structure.
2083	* @param pVCpu The cross context virtual CPU structure.
2084	* @param pCpu Pointer to the global HM CPU struct.
2085	*
2086	* @remarks Called with interrupts disabled.
2087	*/
2088	static void hmR0VmxFlushTaggedTlbVpid(PVM pVM, PVMCPU pVCpu, PHMGLOBALCPUINFO pCpu)
2089	{
2090	AssertPtr(pVM);
2091	AssertPtr(pVCpu);
2092	AssertPtr(pCpu);
2093	Assert(pCpu->idCpu != NIL_RTCPUID);
2094	AssertMsg(pVM->hm.s.vmx.fVpid, ("hmR0VmxFlushTlbVpid cannot be invoked with VPID disabled."));
2095	AssertMsg(!pVM->hm.s.fNestedPaging, ("hmR0VmxFlushTlbVpid cannot be invoked with NestedPaging enabled"));
2096
2097	/*
2098	* Force a TLB flush for the first world switch if the current CPU differs from the one we ran on last.
2099	* If the TLB flush count changed, another VM (VCPU rather) has hit the ASID limit while flushing the TLB
2100	* or the host CPU is online after a suspend/resume, so we cannot reuse the current ASID anymore.
2101	*/
2102	if ( pVCpu->hm.s.idLastCpu != pCpu->idCpu
2103	\|\| pVCpu->hm.s.cTlbFlushes != pCpu->cTlbFlushes)
2104	{
2105	pVCpu->hm.s.fForceTLBFlush = true;
2106	STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlbWorldSwitch);
2107	}
2108
2109	/* Check for explicit TLB flushes. */
2110	if (VMCPU_FF_TEST_AND_CLEAR(pVCpu, VMCPU_FF_TLB_FLUSH))
2111	{
2112	/*
2113	* If we ever support VPID flush combinations other than ALL or SINGLE-context (see hmR0VmxSetupTaggedTlb())
2114	* we would need to explicitly flush in this case (add an fExplicitFlush = true here and change the
2115	* pCpu->fFlushAsidBeforeUse check below to include fExplicitFlush's too) - an obscure corner case.
2116	*/
2117	pVCpu->hm.s.fForceTLBFlush = true;
2118	STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlb);
2119	}
2120
2121	pVCpu->hm.s.idLastCpu = pCpu->idCpu;
2122	if (pVCpu->hm.s.fForceTLBFlush)
2123	{
2124	++pCpu->uCurrentAsid;
2125	if (pCpu->uCurrentAsid >= pVM->hm.s.uMaxAsid)
2126	{
2127	pCpu->uCurrentAsid = 1; /* Wraparound to 1; host uses 0 */
2128	pCpu->cTlbFlushes++; /* All VCPUs that run on this host CPU must use a new VPID. */
2129	pCpu->fFlushAsidBeforeUse = true; /* All VCPUs that run on this host CPU must flush their new VPID before use. */
2130	}
2131
2132	pVCpu->hm.s.fForceTLBFlush = false;
2133	pVCpu->hm.s.cTlbFlushes = pCpu->cTlbFlushes;
2134	pVCpu->hm.s.uCurrentAsid = pCpu->uCurrentAsid;
2135	if (pCpu->fFlushAsidBeforeUse)
2136	{
2137	if (pVM->hm.s.vmx.enmFlushVpid == VMXFLUSHVPID_SINGLE_CONTEXT)
2138	hmR0VmxFlushVpid(pVM, pVCpu, VMXFLUSHVPID_SINGLE_CONTEXT, 0 /* GCPtr */);
2139	else if (pVM->hm.s.vmx.enmFlushVpid == VMXFLUSHVPID_ALL_CONTEXTS)
2140	{
2141	hmR0VmxFlushVpid(pVM, pVCpu, VMXFLUSHVPID_ALL_CONTEXTS, 0 /* GCPtr */);
2142	pCpu->fFlushAsidBeforeUse = false;
2143	}
2144	else
2145	{
2146	/* hmR0VmxSetupTaggedTlb() ensures we never get here. Paranoia. */
2147	AssertMsgFailed(("Unsupported VPID-flush context type.\n"));
2148	}
2149	}
2150	}
2151
2152	AssertMsg(pVCpu->hm.s.cTlbFlushes == pCpu->cTlbFlushes,
2153	("Flush count mismatch for cpu %d (%u vs %u)\n", pCpu->idCpu, pVCpu->hm.s.cTlbFlushes, pCpu->cTlbFlushes));
2154	AssertMsg(pCpu->uCurrentAsid >= 1 && pCpu->uCurrentAsid < pVM->hm.s.uMaxAsid,
2155	("Cpu[%u] uCurrentAsid=%u cTlbFlushes=%u pVCpu->idLastCpu=%u pVCpu->cTlbFlushes=%u\n", pCpu->idCpu,
2156	pCpu->uCurrentAsid, pCpu->cTlbFlushes, pVCpu->hm.s.idLastCpu, pVCpu->hm.s.cTlbFlushes));
2157	AssertMsg(pVCpu->hm.s.uCurrentAsid >= 1 && pVCpu->hm.s.uCurrentAsid < pVM->hm.s.uMaxAsid,
2158	("Cpu[%u] pVCpu->uCurrentAsid=%u\n", pCpu->idCpu, pVCpu->hm.s.uCurrentAsid));
2159
2160	int rc = VMXWriteVmcs32(VMX_VMCS16_VPID, pVCpu->hm.s.uCurrentAsid);
2161	AssertRC(rc);
2162	}
2163
2164
2165	/**
2166	* Flushes the guest TLB entry based on CPU capabilities.
2167	*
2168	* @param pVCpu The cross context virtual CPU structure.
2169	* @param pCpu Pointer to the global HM CPU struct.
2170	*/
2171	DECLINLINE(void) hmR0VmxFlushTaggedTlb(PVMCPU pVCpu, PHMGLOBALCPUINFO pCpu)
2172	{
2173	#ifdef HMVMX_ALWAYS_FLUSH_TLB
2174	VMCPU_FF_SET(pVCpu, VMCPU_FF_TLB_FLUSH);
2175	#endif
2176	PVM pVM = pVCpu->CTX_SUFF(pVM);
2177	switch (pVM->hm.s.vmx.uFlushTaggedTlb)
2178	{
2179	case HMVMX_FLUSH_TAGGED_TLB_EPT_VPID: hmR0VmxFlushTaggedTlbBoth(pVM, pVCpu, pCpu); break;
2180	case HMVMX_FLUSH_TAGGED_TLB_EPT: hmR0VmxFlushTaggedTlbEpt(pVM, pVCpu, pCpu); break;
2181	case HMVMX_FLUSH_TAGGED_TLB_VPID: hmR0VmxFlushTaggedTlbVpid(pVM, pVCpu, pCpu); break;
2182	case HMVMX_FLUSH_TAGGED_TLB_NONE: hmR0VmxFlushTaggedTlbNone(pVM, pVCpu, pCpu); break;
2183	default:
2184	AssertMsgFailed(("Invalid flush-tag function identifier\n"));
2185	break;
2186	}
2187
2188	/* Don't assert that VMCPU_FF_TLB_FLUSH should no longer be pending. It can be set by other EMTs. */
2189	}
2190
2191
2192	/**
2193	* Sets up the appropriate tagged TLB-flush level and handler for flushing guest
2194	* TLB entries from the host TLB before VM-entry.
2195	*
2196	* @returns VBox status code.
2197	* @param pVM The cross context VM structure.
2198	*/
2199	static int hmR0VmxSetupTaggedTlb(PVM pVM)
2200	{
2201	/*
2202	* Determine optimal flush type for Nested Paging.
2203	* We cannot ignore EPT if no suitable flush-types is supported by the CPU as we've already setup unrestricted
2204	* guest execution (see hmR3InitFinalizeR0()).
2205	*/
2206	if (pVM->hm.s.fNestedPaging)
2207	{
2208	if (pVM->hm.s.vmx.Msrs.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVEPT)
2209	{
2210	if (pVM->hm.s.vmx.Msrs.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVEPT_SINGLE_CONTEXT)
2211	pVM->hm.s.vmx.enmFlushEpt = VMXFLUSHEPT_SINGLE_CONTEXT;
2212	else if (pVM->hm.s.vmx.Msrs.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVEPT_ALL_CONTEXTS)
2213	pVM->hm.s.vmx.enmFlushEpt = VMXFLUSHEPT_ALL_CONTEXTS;
2214	else
2215	{
2216	/* Shouldn't happen. EPT is supported but no suitable flush-types supported. */
2217	pVM->hm.s.vmx.enmFlushEpt = VMXFLUSHEPT_NOT_SUPPORTED;
2218	pVM->aCpus[0].hm.s.u32HMError = VMX_UFC_EPT_FLUSH_TYPE_UNSUPPORTED;
2219	return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
2220	}
2221
2222	/* Make sure the write-back cacheable memory type for EPT is supported. */
2223	if (RT_UNLIKELY(!(pVM->hm.s.vmx.Msrs.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_EMT_WB)))
2224	{
2225	pVM->hm.s.vmx.enmFlushEpt = VMXFLUSHEPT_NOT_SUPPORTED;
2226	pVM->aCpus[0].hm.s.u32HMError = VMX_UFC_EPT_MEM_TYPE_NOT_WB;
2227	return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
2228	}
2229
2230	/* EPT requires a page-walk length of 4. */
2231	if (RT_UNLIKELY(!(pVM->hm.s.vmx.Msrs.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_PAGE_WALK_LENGTH_4)))
2232	{
2233	pVM->hm.s.vmx.enmFlushEpt = VMXFLUSHEPT_NOT_SUPPORTED;
2234	pVM->aCpus[0].hm.s.u32HMError = VMX_UFC_EPT_PAGE_WALK_LENGTH_UNSUPPORTED;
2235	return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
2236	}
2237	}
2238	else
2239	{
2240	/* Shouldn't happen. EPT is supported but INVEPT instruction is not supported. */
2241	pVM->hm.s.vmx.enmFlushEpt = VMXFLUSHEPT_NOT_SUPPORTED;
2242	pVM->aCpus[0].hm.s.u32HMError = VMX_UFC_EPT_INVEPT_UNAVAILABLE;
2243	return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
2244	}
2245	}
2246
2247	/*
2248	* Determine optimal flush type for VPID.
2249	*/
2250	if (pVM->hm.s.vmx.fVpid)
2251	{
2252	if (pVM->hm.s.vmx.Msrs.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVVPID)
2253	{
2254	if (pVM->hm.s.vmx.Msrs.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVVPID_SINGLE_CONTEXT)
2255	pVM->hm.s.vmx.enmFlushVpid = VMXFLUSHVPID_SINGLE_CONTEXT;
2256	else if (pVM->hm.s.vmx.Msrs.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVVPID_ALL_CONTEXTS)
2257	pVM->hm.s.vmx.enmFlushVpid = VMXFLUSHVPID_ALL_CONTEXTS;
2258	else
2259	{
2260	/* Neither SINGLE nor ALL-context flush types for VPID is supported by the CPU. Ignore VPID capability. */
2261	if (pVM->hm.s.vmx.Msrs.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVVPID_INDIV_ADDR)
2262	LogRel(("hmR0VmxSetupTaggedTlb: Only INDIV_ADDR supported. Ignoring VPID.\n"));
2263	if (pVM->hm.s.vmx.Msrs.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVVPID_SINGLE_CONTEXT_RETAIN_GLOBALS)
2264	LogRel(("hmR0VmxSetupTaggedTlb: Only SINGLE_CONTEXT_RETAIN_GLOBALS supported. Ignoring VPID.\n"));
2265	pVM->hm.s.vmx.enmFlushVpid = VMXFLUSHVPID_NOT_SUPPORTED;
2266	pVM->hm.s.vmx.fVpid = false;
2267	}
2268	}
2269	else
2270	{
2271	/* Shouldn't happen. VPID is supported but INVVPID is not supported by the CPU. Ignore VPID capability. */
2272	Log4(("hmR0VmxSetupTaggedTlb: VPID supported without INVEPT support. Ignoring VPID.\n"));
2273	pVM->hm.s.vmx.enmFlushVpid = VMXFLUSHVPID_NOT_SUPPORTED;
2274	pVM->hm.s.vmx.fVpid = false;
2275	}
2276	}
2277
2278	/*
2279	* Setup the handler for flushing tagged-TLBs.
2280	*/
2281	if (pVM->hm.s.fNestedPaging && pVM->hm.s.vmx.fVpid)
2282	pVM->hm.s.vmx.uFlushTaggedTlb = HMVMX_FLUSH_TAGGED_TLB_EPT_VPID;
2283	else if (pVM->hm.s.fNestedPaging)
2284	pVM->hm.s.vmx.uFlushTaggedTlb = HMVMX_FLUSH_TAGGED_TLB_EPT;
2285	else if (pVM->hm.s.vmx.fVpid)
2286	pVM->hm.s.vmx.uFlushTaggedTlb = HMVMX_FLUSH_TAGGED_TLB_VPID;
2287	else
2288	pVM->hm.s.vmx.uFlushTaggedTlb = HMVMX_FLUSH_TAGGED_TLB_NONE;
2289	return VINF_SUCCESS;
2290	}
2291
2292
2293	/**
2294	* Sets up pin-based VM-execution controls in the VMCS.
2295	*
2296	* @returns VBox status code.
2297	* @param pVM The cross context VM structure.
2298	* @param pVCpu The cross context virtual CPU structure.
2299	*/
2300	static int hmR0VmxSetupPinCtls(PVM pVM, PVMCPU pVCpu)
2301	{
2302	AssertPtr(pVM);
2303	AssertPtr(pVCpu);
2304
2305	uint32_t val = pVM->hm.s.vmx.Msrs.VmxPinCtls.n.disallowed0; /* Bits set here must always be set. */
2306	uint32_t zap = pVM->hm.s.vmx.Msrs.VmxPinCtls.n.allowed1; /* Bits cleared here must always be cleared. */
2307
2308	val \|= VMX_VMCS_CTRL_PIN_EXEC_EXT_INT_EXIT /* External interrupts cause a VM-exit. */
2309	\| VMX_VMCS_CTRL_PIN_EXEC_NMI_EXIT; /* Non-maskable interrupts (NMIs) cause a VM-exit. */
2310
2311	if (pVM->hm.s.vmx.Msrs.VmxPinCtls.n.allowed1 & VMX_VMCS_CTRL_PIN_EXEC_VIRTUAL_NMI)
2312	val \|= VMX_VMCS_CTRL_PIN_EXEC_VIRTUAL_NMI; /* Use virtual NMIs and virtual-NMI blocking features. */
2313
2314	/* Enable the VMX preemption timer. */
2315	if (pVM->hm.s.vmx.fUsePreemptTimer)
2316	{
2317	Assert(pVM->hm.s.vmx.Msrs.VmxPinCtls.n.allowed1 & VMX_VMCS_CTRL_PIN_EXEC_PREEMPT_TIMER);
2318	val \|= VMX_VMCS_CTRL_PIN_EXEC_PREEMPT_TIMER;
2319	}
2320
2321	#ifdef VBOX_WITH_NEW_APIC
2322	#if 0
2323	/* Enable posted-interrupt processing. */
2324	if (pVM->hm.s.fPostedIntrs)
2325	{
2326	Assert(pVM->hm.s.vmx.Msrs.VmxPinCtls.n.allowed1 & VMX_VMCS_CTRL_PIN_EXEC_POSTED_INTR);
2327	Assert(pVM->hm.s.vmx.Msrs.VmxExit.n.allowed1 & VMX_VMCS_CTRL_EXIT_ACK_EXT_INT);
2328	val \|= VMX_VMCS_CTRL_PIN_EXEC_POSTED_INTR;
2329	}
2330	#endif
2331	#endif
2332
2333	if ((val & zap) != val)
2334	{
2335	LogRel(("hmR0VmxSetupPinCtls: Invalid pin-based VM-execution controls combo! cpu=%#RX64 val=%#RX64 zap=%#RX64\n",
2336	pVM->hm.s.vmx.Msrs.VmxPinCtls.n.disallowed0, val, zap));
2337	pVCpu->hm.s.u32HMError = VMX_UFC_CTRL_PIN_EXEC;
2338	return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
2339	}
2340
2341	int rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PIN_EXEC, val);
2342	AssertRCReturn(rc, rc);
2343
2344	pVCpu->hm.s.vmx.u32PinCtls = val;
2345	return rc;
2346	}
2347
2348
2349	/**
2350	* Sets up processor-based VM-execution controls in the VMCS.
2351	*
2352	* @returns VBox status code.
2353	* @param pVM The cross context VM structure.
2354	* @param pVCpu The cross context virtual CPU structure.
2355	*/
2356	static int hmR0VmxSetupProcCtls(PVM pVM, PVMCPU pVCpu)
2357	{
2358	AssertPtr(pVM);
2359	AssertPtr(pVCpu);
2360
2361	int rc = VERR_INTERNAL_ERROR_5;
2362	uint32_t val = pVM->hm.s.vmx.Msrs.VmxProcCtls.n.disallowed0; /* Bits set here must be set in the VMCS. */
2363	uint32_t zap = pVM->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1; /* Bits cleared here must be cleared in the VMCS. */
2364
2365	val \|= VMX_VMCS_CTRL_PROC_EXEC_HLT_EXIT /* HLT causes a VM-exit. */
2366	\| VMX_VMCS_CTRL_PROC_EXEC_USE_TSC_OFFSETTING /* Use TSC-offsetting. */
2367	\| VMX_VMCS_CTRL_PROC_EXEC_MOV_DR_EXIT /* MOV DRx causes a VM-exit. */
2368	\| VMX_VMCS_CTRL_PROC_EXEC_UNCOND_IO_EXIT /* All IO instructions cause a VM-exit. */
2369	\| VMX_VMCS_CTRL_PROC_EXEC_RDPMC_EXIT /* RDPMC causes a VM-exit. */
2370	\| VMX_VMCS_CTRL_PROC_EXEC_MONITOR_EXIT /* MONITOR causes a VM-exit. */
2371	\| VMX_VMCS_CTRL_PROC_EXEC_MWAIT_EXIT; /* MWAIT causes a VM-exit. */
2372
2373	/* We toggle VMX_VMCS_CTRL_PROC_EXEC_MOV_DR_EXIT later, check if it's not -always- needed to be set or clear. */
2374	if ( !(pVM->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC_MOV_DR_EXIT)
2375	\|\| (pVM->hm.s.vmx.Msrs.VmxProcCtls.n.disallowed0 & VMX_VMCS_CTRL_PROC_EXEC_MOV_DR_EXIT))
2376	{
2377	LogRel(("hmR0VmxSetupProcCtls: Unsupported VMX_VMCS_CTRL_PROC_EXEC_MOV_DR_EXIT combo!"));
2378	pVCpu->hm.s.u32HMError = VMX_UFC_CTRL_PROC_MOV_DRX_EXIT;
2379	return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
2380	}
2381
2382	/* Without Nested Paging, INVLPG (also affects INVPCID) and MOV CR3 instructions should cause VM-exits. */
2383	if (!pVM->hm.s.fNestedPaging)
2384	{
2385	Assert(!pVM->hm.s.vmx.fUnrestrictedGuest); /* Paranoia. */
2386	val \|= VMX_VMCS_CTRL_PROC_EXEC_INVLPG_EXIT
2387	\| VMX_VMCS_CTRL_PROC_EXEC_CR3_LOAD_EXIT
2388	\| VMX_VMCS_CTRL_PROC_EXEC_CR3_STORE_EXIT;
2389	}
2390
2391	/* Use TPR shadowing if supported by the CPU. */
2392	if (pVM->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC_USE_TPR_SHADOW)
2393	{
2394	Assert(pVCpu->hm.s.vmx.HCPhysVirtApic);
2395	Assert(!(pVCpu->hm.s.vmx.HCPhysVirtApic & 0xfff)); /* Bits 11:0 MBZ. */
2396	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_TPR_THRESHOLD, 0);
2397	rc \|= VMXWriteVmcs64(VMX_VMCS64_CTRL_VAPIC_PAGEADDR_FULL, pVCpu->hm.s.vmx.HCPhysVirtApic);
2398	AssertRCReturn(rc, rc);
2399
2400	val \|= VMX_VMCS_CTRL_PROC_EXEC_USE_TPR_SHADOW; /* CR8 reads from the Virtual-APIC page. */
2401	/* CR8 writes cause a VM-exit based on TPR threshold. */
2402	Assert(!(val & VMX_VMCS_CTRL_PROC_EXEC_CR8_STORE_EXIT));
2403	Assert(!(val & VMX_VMCS_CTRL_PROC_EXEC_CR8_LOAD_EXIT));
2404	}
2405	else
2406	{
2407	/*
2408	* Some 32-bit CPUs do not support CR8 load/store exiting as MOV CR8 is invalid on 32-bit Intel CPUs.
2409	* Set this control only for 64-bit guests.
2410	*/
2411	if (pVM->hm.s.fAllow64BitGuests)
2412	{
2413	val \|= VMX_VMCS_CTRL_PROC_EXEC_CR8_STORE_EXIT /* CR8 reads cause a VM-exit. */
2414	\| VMX_VMCS_CTRL_PROC_EXEC_CR8_LOAD_EXIT; /* CR8 writes cause a VM-exit. */
2415	}
2416	}
2417
2418	/* Use MSR-bitmaps if supported by the CPU. */
2419	if (pVM->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS)
2420	{
2421	val \|= VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS;
2422
2423	Assert(pVCpu->hm.s.vmx.HCPhysMsrBitmap);
2424	Assert(!(pVCpu->hm.s.vmx.HCPhysMsrBitmap & 0xfff)); /* Bits 11:0 MBZ. */
2425	rc = VMXWriteVmcs64(VMX_VMCS64_CTRL_MSR_BITMAP_FULL, pVCpu->hm.s.vmx.HCPhysMsrBitmap);
2426	AssertRCReturn(rc, rc);
2427
2428	/*
2429	* The guest can access the following MSRs (read, write) without causing VM-exits; they are loaded/stored
2430	* automatically using dedicated fields in the VMCS.
2431	*/
2432	hmR0VmxSetMsrPermission(pVCpu, MSR_IA32_SYSENTER_CS, VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
2433	hmR0VmxSetMsrPermission(pVCpu, MSR_IA32_SYSENTER_ESP, VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
2434	hmR0VmxSetMsrPermission(pVCpu, MSR_IA32_SYSENTER_EIP, VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
2435	hmR0VmxSetMsrPermission(pVCpu, MSR_K8_GS_BASE, VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
2436	hmR0VmxSetMsrPermission(pVCpu, MSR_K8_FS_BASE, VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
2437
2438	#if HC_ARCH_BITS == 64
2439	/*
2440	* Set passthru permissions for the following MSRs (mandatory for VT-x) required for 64-bit guests.
2441	*/
2442	if (pVM->hm.s.fAllow64BitGuests)
2443	{
2444	hmR0VmxSetMsrPermission(pVCpu, MSR_K8_LSTAR, VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
2445	hmR0VmxSetMsrPermission(pVCpu, MSR_K6_STAR, VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
2446	hmR0VmxSetMsrPermission(pVCpu, MSR_K8_SF_MASK, VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
2447	hmR0VmxSetMsrPermission(pVCpu, MSR_K8_KERNEL_GS_BASE, VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
2448	}
2449	#endif
2450	/* Though MSR_IA32_PERF_GLOBAL_CTRL is saved/restored lazily, we want intercept reads/write to it for now. */
2451	}
2452
2453	/* Use the secondary processor-based VM-execution controls if supported by the CPU. */
2454	if (pVM->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC_USE_SECONDARY_EXEC_CTRL)
2455	val \|= VMX_VMCS_CTRL_PROC_EXEC_USE_SECONDARY_EXEC_CTRL;
2456
2457	if ((val & zap) != val)
2458	{
2459	LogRel(("hmR0VmxSetupProcCtls: Invalid processor-based VM-execution controls combo! cpu=%#RX64 val=%#RX64 zap=%#RX64\n",
2460	pVM->hm.s.vmx.Msrs.VmxProcCtls.n.disallowed0, val, zap));
2461	pVCpu->hm.s.u32HMError = VMX_UFC_CTRL_PROC_EXEC;
2462	return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
2463	}
2464
2465	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, val);
2466	AssertRCReturn(rc, rc);
2467
2468	pVCpu->hm.s.vmx.u32ProcCtls = val;
2469
2470	/*
2471	* Secondary processor-based VM-execution controls.
2472	*/
2473	if (RT_LIKELY(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_SECONDARY_EXEC_CTRL))
2474	{
2475	val = pVM->hm.s.vmx.Msrs.VmxProcCtls2.n.disallowed0; /* Bits set here must be set in the VMCS. */
2476	zap = pVM->hm.s.vmx.Msrs.VmxProcCtls2.n.allowed1; /* Bits cleared here must be cleared in the VMCS. */
2477
2478	if (pVM->hm.s.vmx.Msrs.VmxProcCtls2.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC2_WBINVD_EXIT)
2479	val \|= VMX_VMCS_CTRL_PROC_EXEC2_WBINVD_EXIT; /* WBINVD causes a VM-exit. */
2480
2481	if (pVM->hm.s.fNestedPaging)
2482	val \|= VMX_VMCS_CTRL_PROC_EXEC2_EPT; /* Enable EPT. */
2483	else
2484	{
2485	/*
2486	* Without Nested Paging, INVPCID should cause a VM-exit. Enabling this bit causes the CPU to refer to
2487	* VMX_VMCS_CTRL_PROC_EXEC_INVLPG_EXIT when INVPCID is executed by the guest.
2488	* See Intel spec. 25.4 "Changes to instruction behaviour in VMX non-root operation".
2489	*/
2490	if (pVM->hm.s.vmx.Msrs.VmxProcCtls2.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC2_INVPCID)
2491	val \|= VMX_VMCS_CTRL_PROC_EXEC2_INVPCID;
2492	}
2493
2494	if (pVM->hm.s.vmx.fVpid)
2495	val \|= VMX_VMCS_CTRL_PROC_EXEC2_VPID; /* Enable VPID. */
2496
2497	if (pVM->hm.s.vmx.fUnrestrictedGuest)
2498	val \|= VMX_VMCS_CTRL_PROC_EXEC2_UNRESTRICTED_GUEST; /* Enable Unrestricted Execution. */
2499
2500	#ifdef VBOX_WITH_NEW_APIC
2501	#if 0
2502	if (pVM->hm.s.fVirtApicRegs)
2503	{
2504	Assert(pVM->hm.s.vmx.Msrs.VmxProcCtls2.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC2_APIC_REG_VIRT);
2505	val \|= VMX_VMCS_CTRL_PROC_EXEC2_APIC_REG_VIRT; /* Enable APIC-register virtualization. */
2506
2507	Assert(pVM->hm.s.vmx.Msrs.VmxProcCtls2.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC2_VIRT_INTR_DELIVERY);
2508	val \|= VMX_VMCS_CTRL_PROC_EXEC2_VIRT_INTR_DELIVERY; /* Enable virtual-interrupt delivery. */
2509	}
2510	#endif
2511	#endif
2512
2513	/* Enable Virtual-APIC page accesses if supported by the CPU. This is essentially where the TPR shadow resides. */
2514	/** @todo VIRT_X2APIC support, it's mutually exclusive with this. So must be
2515	* done dynamically. */
2516	if (pVM->hm.s.vmx.Msrs.VmxProcCtls2.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC2_VIRT_APIC)
2517	{
2518	Assert(pVM->hm.s.vmx.HCPhysApicAccess);
2519	Assert(!(pVM->hm.s.vmx.HCPhysApicAccess & 0xfff)); /* Bits 11:0 MBZ. */
2520	val \|= VMX_VMCS_CTRL_PROC_EXEC2_VIRT_APIC; /* Virtualize APIC accesses. */
2521	rc = VMXWriteVmcs64(VMX_VMCS64_CTRL_APIC_ACCESSADDR_FULL, pVM->hm.s.vmx.HCPhysApicAccess);
2522	AssertRCReturn(rc, rc);
2523	}
2524
2525	if (pVM->hm.s.vmx.Msrs.VmxProcCtls2.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC2_RDTSCP)
2526	val \|= VMX_VMCS_CTRL_PROC_EXEC2_RDTSCP; /* Enable RDTSCP support. */
2527
2528	if ( pVM->hm.s.vmx.Msrs.VmxProcCtls2.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC2_PAUSE_LOOP_EXIT
2529	&& pVM->hm.s.vmx.cPleGapTicks
2530	&& pVM->hm.s.vmx.cPleWindowTicks)
2531	{
2532	val \|= VMX_VMCS_CTRL_PROC_EXEC2_PAUSE_LOOP_EXIT; /* Enable pause-loop exiting. */
2533
2534	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PLE_GAP, pVM->hm.s.vmx.cPleGapTicks);
2535	rc \|= VMXWriteVmcs32(VMX_VMCS32_CTRL_PLE_WINDOW, pVM->hm.s.vmx.cPleWindowTicks);
2536	AssertRCReturn(rc, rc);
2537	}
2538
2539	if ((val & zap) != val)
2540	{
2541	LogRel(("hmR0VmxSetupProcCtls: Invalid secondary processor-based VM-execution controls combo! "
2542	"cpu=%#RX64 val=%#RX64 zap=%#RX64\n", pVM->hm.s.vmx.Msrs.VmxProcCtls2.n.disallowed0, val, zap));
2543	pVCpu->hm.s.u32HMError = VMX_UFC_CTRL_PROC_EXEC2;
2544	return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
2545	}
2546
2547	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC2, val);
2548	AssertRCReturn(rc, rc);
2549
2550	pVCpu->hm.s.vmx.u32ProcCtls2 = val;
2551	}
2552	else if (RT_UNLIKELY(pVM->hm.s.vmx.fUnrestrictedGuest))
2553	{
2554	LogRel(("hmR0VmxSetupProcCtls: Unrestricted Guest set as true when secondary processor-based VM-execution controls not "
2555	"available\n"));
2556	pVCpu->hm.s.u32HMError = VMX_UFC_INVALID_UX_COMBO;
2557	return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
2558	}
2559
2560	return VINF_SUCCESS;
2561	}
2562
2563
2564	/**
2565	* Sets up miscellaneous (everything other than Pin & Processor-based
2566	* VM-execution) control fields in the VMCS.
2567	*
2568	* @returns VBox status code.
2569	* @param pVM The cross context VM structure.
2570	* @param pVCpu The cross context virtual CPU structure.
2571	*/
2572	static int hmR0VmxSetupMiscCtls(PVM pVM, PVMCPU pVCpu)
2573	{
2574	NOREF(pVM);
2575	AssertPtr(pVM);
2576	AssertPtr(pVCpu);
2577
2578	int rc = VERR_GENERAL_FAILURE;
2579
2580	/* All fields are zero-initialized during allocation; but don't remove the commented block below. */
2581	#if 0
2582	/* All CR3 accesses cause VM-exits. Later we optimize CR3 accesses (see hmR0VmxLoadGuestCR3AndCR4())*/
2583	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_CR3_TARGET_COUNT, 0);
2584	rc \|= VMXWriteVmcs64(VMX_VMCS64_CTRL_TSC_OFFSET_FULL, 0);
2585
2586	/*
2587	* Set MASK & MATCH to 0. VMX checks if GuestPFErrCode & MASK == MATCH. If equal (in our case it always is)
2588	* and if the X86_XCPT_PF bit in the exception bitmap is set it causes a VM-exit, if clear doesn't cause an exit.
2589	* We thus use the exception bitmap to control it rather than use both.
2590	*/
2591	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PAGEFAULT_ERROR_MASK, 0);
2592	rc \|= VMXWriteVmcs32(VMX_VMCS32_CTRL_PAGEFAULT_ERROR_MATCH, 0);
2593
2594	/** @todo Explore possibility of using IO-bitmaps. */
2595	/* All IO & IOIO instructions cause VM-exits. */
2596	rc \|= VMXWriteVmcs64(VMX_VMCS64_CTRL_IO_BITMAP_A_FULL, 0);
2597	rc \|= VMXWriteVmcs64(VMX_VMCS64_CTRL_IO_BITMAP_B_FULL, 0);
2598
2599	/* Initialize the MSR-bitmap area. */
2600	rc \|= VMXWriteVmcs32(VMX_VMCS32_CTRL_ENTRY_MSR_LOAD_COUNT, 0);
2601	rc \|= VMXWriteVmcs32(VMX_VMCS32_CTRL_EXIT_MSR_STORE_COUNT, 0);
2602	rc \|= VMXWriteVmcs32(VMX_VMCS32_CTRL_EXIT_MSR_LOAD_COUNT, 0);
2603	AssertRCReturn(rc, rc);
2604	#endif
2605
2606	/* Setup MSR auto-load/store area. */
2607	Assert(pVCpu->hm.s.vmx.HCPhysGuestMsr);
2608	Assert(!(pVCpu->hm.s.vmx.HCPhysGuestMsr & 0xf)); /* Lower 4 bits MBZ. */
2609	rc = VMXWriteVmcs64(VMX_VMCS64_CTRL_ENTRY_MSR_LOAD_FULL, pVCpu->hm.s.vmx.HCPhysGuestMsr);
2610	rc \|= VMXWriteVmcs64(VMX_VMCS64_CTRL_EXIT_MSR_STORE_FULL, pVCpu->hm.s.vmx.HCPhysGuestMsr);
2611	AssertRCReturn(rc, rc);
2612
2613	Assert(pVCpu->hm.s.vmx.HCPhysHostMsr);
2614	Assert(!(pVCpu->hm.s.vmx.HCPhysHostMsr & 0xf)); /* Lower 4 bits MBZ. */
2615	rc = VMXWriteVmcs64(VMX_VMCS64_CTRL_EXIT_MSR_LOAD_FULL, pVCpu->hm.s.vmx.HCPhysHostMsr);
2616	AssertRCReturn(rc, rc);
2617
2618	/* Set VMCS link pointer. Reserved for future use, must be -1. Intel spec. 24.4 "Guest-State Area". */
2619	rc = VMXWriteVmcs64(VMX_VMCS64_GUEST_VMCS_LINK_PTR_FULL, UINT64_C(0xffffffffffffffff));
2620	AssertRCReturn(rc, rc);
2621
2622	/* All fields are zero-initialized during allocation; but don't remove the commented block below. */
2623	#if 0
2624	/* Setup debug controls */
2625	rc = VMXWriteVmcs64(VMX_VMCS64_GUEST_DEBUGCTL_FULL, 0); /** @todo We don't support IA32_DEBUGCTL MSR. Should we? */
2626	rc \|= VMXWriteVmcs32(VMX_VMCS_GUEST_PENDING_DEBUG_EXCEPTIONS, 0);
2627	AssertRCReturn(rc, rc);
2628	#endif
2629
2630	return rc;
2631	}
2632
2633
2634	/**
2635	* Sets up the initial exception bitmap in the VMCS based on static conditions.
2636	*
2637	* @returns VBox status code.
2638	* @param pVM The cross context VM structure.
2639	* @param pVCpu The cross context virtual CPU structure.
2640	*/
2641	static int hmR0VmxInitXcptBitmap(PVM pVM, PVMCPU pVCpu)
2642	{
2643	AssertPtr(pVM);
2644	AssertPtr(pVCpu);
2645
2646	LogFlowFunc(("pVM=%p pVCpu=%p\n", pVM, pVCpu));
2647
2648	uint32_t u32XcptBitmap = pVCpu->hm.s.fGIMTrapXcptUD ? RT_BIT(X86_XCPT_UD) : 0;
2649
2650	/* Must always intercept #AC to prevent the guest from hanging the CPU. */
2651	u32XcptBitmap \|= RT_BIT_32(X86_XCPT_AC);
2652
2653	/* Because we need to maintain the DR6 state even when intercepting DRx reads
2654	and writes, and because recursive #DBs can cause the CPU hang, we must always
2655	intercept #DB. */
2656	u32XcptBitmap \|= RT_BIT_32(X86_XCPT_DB);
2657
2658	/* Without Nested Paging, #PF must cause a VM-exit so we can sync our shadow page tables. */
2659	if (!pVM->hm.s.fNestedPaging)
2660	u32XcptBitmap \|= RT_BIT(X86_XCPT_PF);
2661
2662	pVCpu->hm.s.vmx.u32XcptBitmap = u32XcptBitmap;
2663	int rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_EXCEPTION_BITMAP, u32XcptBitmap);
2664	AssertRCReturn(rc, rc);
2665	return rc;
2666	}
2667
2668
2669	/**
2670	* Sets up the initial guest-state mask. The guest-state mask is consulted
2671	* before reading guest-state fields from the VMCS as VMREADs can be expensive
2672	* for the nested virtualization case (as it would cause a VM-exit).
2673	*
2674	* @param pVCpu The cross context virtual CPU structure.
2675	*/
2676	static int hmR0VmxInitUpdatedGuestStateMask(PVMCPU pVCpu)
2677	{
2678	/* Initially the guest-state is up-to-date as there is nothing in the VMCS. */
2679	HMVMXCPU_GST_RESET_TO(pVCpu, HMVMX_UPDATED_GUEST_ALL);
2680	return VINF_SUCCESS;
2681	}
2682
2683
2684	/**
2685	* Does per-VM VT-x initialization.
2686	*
2687	* @returns VBox status code.
2688	* @param pVM The cross context VM structure.
2689	*/
2690	VMMR0DECL(int) VMXR0InitVM(PVM pVM)
2691	{
2692	LogFlowFunc(("pVM=%p\n", pVM));
2693
2694	int rc = hmR0VmxStructsAlloc(pVM);
2695	if (RT_FAILURE(rc))
2696	{
2697	LogRel(("VMXR0InitVM: hmR0VmxStructsAlloc failed! rc=%Rrc\n", rc));
2698	return rc;
2699	}
2700
2701	return VINF_SUCCESS;
2702	}
2703
2704
2705	/**
2706	* Does per-VM VT-x termination.
2707	*
2708	* @returns VBox status code.
2709	* @param pVM The cross context VM structure.
2710	*/
2711	VMMR0DECL(int) VMXR0TermVM(PVM pVM)
2712	{
2713	LogFlowFunc(("pVM=%p\n", pVM));
2714
2715	#ifdef VBOX_WITH_CRASHDUMP_MAGIC
2716	if (pVM->hm.s.vmx.hMemObjScratch != NIL_RTR0MEMOBJ)
2717	ASMMemZero32(pVM->hm.s.vmx.pvScratch, PAGE_SIZE);
2718	#endif
2719	hmR0VmxStructsFree(pVM);
2720	return VINF_SUCCESS;
2721	}
2722
2723
2724	/**
2725	* Sets up the VM for execution under VT-x.
2726	* This function is only called once per-VM during initialization.
2727	*
2728	* @returns VBox status code.
2729	* @param pVM The cross context VM structure.
2730	*/
2731	VMMR0DECL(int) VMXR0SetupVM(PVM pVM)
2732	{
2733	AssertPtrReturn(pVM, VERR_INVALID_PARAMETER);
2734	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
2735
2736	LogFlowFunc(("pVM=%p\n", pVM));
2737
2738	/*
2739	* Without UnrestrictedGuest, pRealModeTSS and pNonPagingModeEPTPageTable must always be allocated.
2740	* We no longer support the highly unlikely case of UnrestrictedGuest without pRealModeTSS. See hmR3InitFinalizeR0Intel().
2741	*/
2742	if ( !pVM->hm.s.vmx.fUnrestrictedGuest
2743	&& ( !pVM->hm.s.vmx.pNonPagingModeEPTPageTable
2744	\|\| !pVM->hm.s.vmx.pRealModeTSS))
2745	{
2746	LogRel(("VMXR0SetupVM: Invalid real-on-v86 state.\n"));
2747	return VERR_INTERNAL_ERROR;
2748	}
2749
2750	/* Initialize these always, see hmR3InitFinalizeR0().*/
2751	pVM->hm.s.vmx.enmFlushEpt = VMXFLUSHEPT_NONE;
2752	pVM->hm.s.vmx.enmFlushVpid = VMXFLUSHVPID_NONE;
2753
2754	/* Setup the tagged-TLB flush handlers. */
2755	int rc = hmR0VmxSetupTaggedTlb(pVM);
2756	if (RT_FAILURE(rc))
2757	{
2758	LogRel(("VMXR0SetupVM: hmR0VmxSetupTaggedTlb failed! rc=%Rrc\n", rc));
2759	return rc;
2760	}
2761
2762	/* Check if we can use the VMCS controls for swapping the EFER MSR. */
2763	Assert(!pVM->hm.s.vmx.fSupportsVmcsEfer);
2764	#if HC_ARCH_BITS == 64
2765	if ( (pVM->hm.s.vmx.Msrs.VmxEntry.n.allowed1 & VMX_VMCS_CTRL_ENTRY_LOAD_GUEST_EFER_MSR)
2766	&& (pVM->hm.s.vmx.Msrs.VmxExit.n.allowed1 & VMX_VMCS_CTRL_EXIT_LOAD_HOST_EFER_MSR)
2767	&& (pVM->hm.s.vmx.Msrs.VmxExit.n.allowed1 & VMX_VMCS_CTRL_EXIT_SAVE_GUEST_EFER_MSR))
2768	{
2769	pVM->hm.s.vmx.fSupportsVmcsEfer = true;
2770	}
2771	#endif
2772
2773	/* At least verify VMX is enabled, since we can't check if we're in VMX root mode without #GP'ing. */
2774	RTCCUINTREG uHostCR4 = ASMGetCR4();
2775	if (RT_UNLIKELY(!(uHostCR4 & X86_CR4_VMXE)))
2776	return VERR_VMX_NOT_IN_VMX_ROOT_MODE;
2777
2778	for (VMCPUID i = 0; i < pVM->cCpus; i++)
2779	{
2780	PVMCPU pVCpu = &pVM->aCpus[i];
2781	AssertPtr(pVCpu);
2782	AssertPtr(pVCpu->hm.s.vmx.pvVmcs);
2783
2784	/* Log the VCPU pointers, useful for debugging SMP VMs. */
2785	Log4(("VMXR0SetupVM: pVCpu=%p idCpu=%RU32\n", pVCpu, pVCpu->idCpu));
2786
2787	/* Initialize the VM-exit history array with end-of-array markers (UINT16_MAX). */
2788	Assert(!pVCpu->hm.s.idxExitHistoryFree);
2789	HMCPU_EXIT_HISTORY_RESET(pVCpu);
2790
2791	/* Set revision dword at the beginning of the VMCS structure. */
2792	(uint32_t )pVCpu->hm.s.vmx.pvVmcs = MSR_IA32_VMX_BASIC_INFO_VMCS_ID(pVM->hm.s.vmx.Msrs.u64BasicInfo);
2793
2794	/* Initialize our VMCS region in memory, set the VMCS launch state to "clear". */
2795	rc = VMXClearVmcs(pVCpu->hm.s.vmx.HCPhysVmcs);
2796	AssertLogRelMsgRCReturnStmt(rc, ("VMXR0SetupVM: VMXClearVmcs failed! rc=%Rrc (pVM=%p)\n", rc, pVM),
2797	hmR0VmxUpdateErrorRecord(pVM, pVCpu, rc), rc);
2798
2799	/* Load this VMCS as the current VMCS. */
2800	rc = VMXActivateVmcs(pVCpu->hm.s.vmx.HCPhysVmcs);
2801	AssertLogRelMsgRCReturnStmt(rc, ("VMXR0SetupVM: VMXActivateVmcs failed! rc=%Rrc (pVM=%p)\n", rc, pVM),
2802	hmR0VmxUpdateErrorRecord(pVM, pVCpu, rc), rc);
2803
2804	rc = hmR0VmxSetupPinCtls(pVM, pVCpu);
2805	AssertLogRelMsgRCReturnStmt(rc, ("VMXR0SetupVM: hmR0VmxSetupPinCtls failed! rc=%Rrc (pVM=%p)\n", rc, pVM),
2806	hmR0VmxUpdateErrorRecord(pVM, pVCpu, rc), rc);
2807
2808	rc = hmR0VmxSetupProcCtls(pVM, pVCpu);
2809	AssertLogRelMsgRCReturnStmt(rc, ("VMXR0SetupVM: hmR0VmxSetupProcCtls failed! rc=%Rrc (pVM=%p)\n", rc, pVM),
2810	hmR0VmxUpdateErrorRecord(pVM, pVCpu, rc), rc);
2811
2812	rc = hmR0VmxSetupMiscCtls(pVM, pVCpu);
2813	AssertLogRelMsgRCReturnStmt(rc, ("VMXR0SetupVM: hmR0VmxSetupMiscCtls failed! rc=%Rrc (pVM=%p)\n", rc, pVM),
2814	hmR0VmxUpdateErrorRecord(pVM, pVCpu, rc), rc);
2815
2816	rc = hmR0VmxInitXcptBitmap(pVM, pVCpu);
2817	AssertLogRelMsgRCReturnStmt(rc, ("VMXR0SetupVM: hmR0VmxInitXcptBitmap failed! rc=%Rrc (pVM=%p)\n", rc, pVM),
2818	hmR0VmxUpdateErrorRecord(pVM, pVCpu, rc), rc);
2819
2820	rc = hmR0VmxInitUpdatedGuestStateMask(pVCpu);
2821	AssertLogRelMsgRCReturnStmt(rc, ("VMXR0SetupVM: hmR0VmxInitUpdatedGuestStateMask failed! rc=%Rrc (pVM=%p)\n", rc, pVM),
2822	hmR0VmxUpdateErrorRecord(pVM, pVCpu, rc), rc);
2823
2824	#if HC_ARCH_BITS == 32
2825	rc = hmR0VmxInitVmcsReadCache(pVM, pVCpu);
2826	AssertLogRelMsgRCReturnStmt(rc, ("VMXR0SetupVM: hmR0VmxInitVmcsReadCache failed! rc=%Rrc (pVM=%p)\n", rc, pVM),
2827	hmR0VmxUpdateErrorRecord(pVM, pVCpu, rc), rc);
2828	#endif
2829
2830	/* Re-sync the CPU's internal data into our VMCS memory region & reset the launch state to "clear". */
2831	rc = VMXClearVmcs(pVCpu->hm.s.vmx.HCPhysVmcs);
2832	AssertLogRelMsgRCReturnStmt(rc, ("VMXR0SetupVM: VMXClearVmcs(2) failed! rc=%Rrc (pVM=%p)\n", rc, pVM),
2833	hmR0VmxUpdateErrorRecord(pVM, pVCpu, rc), rc);
2834
2835	pVCpu->hm.s.vmx.uVmcsState = HMVMX_VMCS_STATE_CLEAR;
2836
2837	hmR0VmxUpdateErrorRecord(pVM, pVCpu, rc);
2838	}
2839
2840	return VINF_SUCCESS;
2841	}
2842
2843
2844	/**
2845	* Saves the host control registers (CR0, CR3, CR4) into the host-state area in
2846	* the VMCS.
2847	*
2848	* @returns VBox status code.
2849	* @param pVM The cross context VM structure.
2850	* @param pVCpu The cross context virtual CPU structure.
2851	*/
2852	DECLINLINE(int) hmR0VmxSaveHostControlRegs(PVM pVM, PVMCPU pVCpu)
2853	{
2854	NOREF(pVM); NOREF(pVCpu);
2855
2856	RTCCUINTREG uReg = ASMGetCR0();
2857	int rc = VMXWriteVmcsHstN(VMX_VMCS_HOST_CR0, uReg);
2858	AssertRCReturn(rc, rc);
2859
2860	uReg = ASMGetCR3();
2861	rc = VMXWriteVmcsHstN(VMX_VMCS_HOST_CR3, uReg);
2862	AssertRCReturn(rc, rc);
2863
2864	uReg = ASMGetCR4();
2865	rc = VMXWriteVmcsHstN(VMX_VMCS_HOST_CR4, uReg);
2866	AssertRCReturn(rc, rc);
2867	return rc;
2868	}
2869
2870
2871	#if HC_ARCH_BITS == 64
2872	/**
2873	* Macro for adjusting host segment selectors to satisfy VT-x's VM-entry
2874	* requirements. See hmR0VmxSaveHostSegmentRegs().
2875	*/
2876	# define VMXLOCAL_ADJUST_HOST_SEG(seg, selValue) \
2877	if ((selValue) & (X86_SEL_RPL \| X86_SEL_LDT)) \
2878	{ \
2879	bool fValidSelector = true; \
2880	if ((selValue) & X86_SEL_LDT) \
2881	{ \
2882	uint32_t uAttr = ASMGetSegAttr((selValue)); \
2883	fValidSelector = RT_BOOL(uAttr != UINT32_MAX && (uAttr & X86_DESC_P)); \
2884	} \
2885	if (fValidSelector) \
2886	{ \
2887	pVCpu->hm.s.vmx.fRestoreHostFlags \|= VMX_RESTORE_HOST_SEL_##seg; \
2888	pVCpu->hm.s.vmx.RestoreHost.uHostSel##seg = (selValue); \
2889	} \
2890	(selValue) = 0; \
2891	}
2892	#endif
2893
2894
2895	/**
2896	* Saves the host segment registers and GDTR, IDTR, (TR, GS and FS bases) into
2897	* the host-state area in the VMCS.
2898	*
2899	* @returns VBox status code.
2900	* @param pVM The cross context VM structure.
2901	* @param pVCpu The cross context virtual CPU structure.
2902	*/
2903	DECLINLINE(int) hmR0VmxSaveHostSegmentRegs(PVM pVM, PVMCPU pVCpu)
2904	{
2905	int rc = VERR_INTERNAL_ERROR_5;
2906
2907	#if HC_ARCH_BITS == 64
2908	/*
2909	* If we've executed guest code using VT-x, the host-state bits will be messed up. We
2910	* should -not- save the messed up state without restoring the original host-state. See @bugref{7240}.
2911	*/
2912	AssertMsgReturn(!(pVCpu->hm.s.vmx.fRestoreHostFlags & VMX_RESTORE_HOST_REQUIRED),
2913	("Re-saving host-state after executing guest code without leaving VT-x!\n"), VERR_WRONG_ORDER);
2914	#endif
2915
2916	/*
2917	* Host DS, ES, FS and GS segment registers.
2918	*/
2919	#if HC_ARCH_BITS == 64
2920	RTSEL uSelDS = ASMGetDS();
2921	RTSEL uSelES = ASMGetES();
2922	RTSEL uSelFS = ASMGetFS();
2923	RTSEL uSelGS = ASMGetGS();
2924	#else
2925	RTSEL uSelDS = 0;
2926	RTSEL uSelES = 0;
2927	RTSEL uSelFS = 0;
2928	RTSEL uSelGS = 0;
2929	#endif
2930
2931	/* Recalculate which host-state bits need to be manually restored. */
2932	pVCpu->hm.s.vmx.fRestoreHostFlags = 0;
2933
2934	/*
2935	* Host CS and SS segment registers.
2936	*/
2937	RTSEL uSelCS = ASMGetCS();
2938	RTSEL uSelSS = ASMGetSS();
2939
2940	/*
2941	* Host TR segment register.
2942	*/
2943	RTSEL uSelTR = ASMGetTR();
2944
2945	#if HC_ARCH_BITS == 64
2946	/*
2947	* Determine if the host segment registers are suitable for VT-x. Otherwise use zero to gain VM-entry and restore them
2948	* before we get preempted. See Intel spec. 26.2.3 "Checks on Host Segment and Descriptor-Table Registers".
2949	*/
2950	VMXLOCAL_ADJUST_HOST_SEG(DS, uSelDS);
2951	VMXLOCAL_ADJUST_HOST_SEG(ES, uSelES);
2952	VMXLOCAL_ADJUST_HOST_SEG(FS, uSelFS);
2953	VMXLOCAL_ADJUST_HOST_SEG(GS, uSelGS);
2954	# undef VMXLOCAL_ADJUST_HOST_SEG
2955	#endif
2956
2957	/* Verification based on Intel spec. 26.2.3 "Checks on Host Segment and Descriptor-Table Registers" */
2958	Assert(!(uSelCS & X86_SEL_RPL)); Assert(!(uSelCS & X86_SEL_LDT));
2959	Assert(!(uSelSS & X86_SEL_RPL)); Assert(!(uSelSS & X86_SEL_LDT));
2960	Assert(!(uSelDS & X86_SEL_RPL)); Assert(!(uSelDS & X86_SEL_LDT));
2961	Assert(!(uSelES & X86_SEL_RPL)); Assert(!(uSelES & X86_SEL_LDT));
2962	Assert(!(uSelFS & X86_SEL_RPL)); Assert(!(uSelFS & X86_SEL_LDT));
2963	Assert(!(uSelGS & X86_SEL_RPL)); Assert(!(uSelGS & X86_SEL_LDT));
2964	Assert(!(uSelTR & X86_SEL_RPL)); Assert(!(uSelTR & X86_SEL_LDT));
2965	Assert(uSelCS);
2966	Assert(uSelTR);
2967
2968	/* Assertion is right but we would not have updated u32ExitCtls yet. */
2969	#if 0
2970	if (!(pVCpu->hm.s.vmx.u32ExitCtls & VMX_VMCS_CTRL_EXIT_HOST_ADDR_SPACE_SIZE))
2971	Assert(uSelSS != 0);
2972	#endif
2973
2974	/* Write these host selector fields into the host-state area in the VMCS. */
2975	rc = VMXWriteVmcs32(VMX_VMCS16_HOST_CS_SEL, uSelCS);
2976	rc \|= VMXWriteVmcs32(VMX_VMCS16_HOST_SS_SEL, uSelSS);
2977	#if HC_ARCH_BITS == 64
2978	rc \|= VMXWriteVmcs32(VMX_VMCS16_HOST_DS_SEL, uSelDS);
2979	rc \|= VMXWriteVmcs32(VMX_VMCS16_HOST_ES_SEL, uSelES);
2980	rc \|= VMXWriteVmcs32(VMX_VMCS16_HOST_FS_SEL, uSelFS);
2981	rc \|= VMXWriteVmcs32(VMX_VMCS16_HOST_GS_SEL, uSelGS);
2982	#else
2983	NOREF(uSelDS);
2984	NOREF(uSelES);
2985	NOREF(uSelFS);
2986	NOREF(uSelGS);
2987	#endif
2988	rc \|= VMXWriteVmcs32(VMX_VMCS16_HOST_TR_SEL, uSelTR);
2989	AssertRCReturn(rc, rc);
2990
2991	/*
2992	* Host GDTR and IDTR.
2993	*/
2994	RTGDTR Gdtr;
2995	RTIDTR Idtr;
2996	RT_ZERO(Gdtr);
2997	RT_ZERO(Idtr);
2998	ASMGetGDTR(&Gdtr);
2999	ASMGetIDTR(&Idtr);
3000	rc = VMXWriteVmcsHstN(VMX_VMCS_HOST_GDTR_BASE, Gdtr.pGdt);
3001	rc \|= VMXWriteVmcsHstN(VMX_VMCS_HOST_IDTR_BASE, Idtr.pIdt);
3002	AssertRCReturn(rc, rc);
3003
3004	#if HC_ARCH_BITS == 64
3005	/*
3006	* Determine if we need to manually need to restore the GDTR and IDTR limits as VT-x zaps them to the
3007	* maximum limit (0xffff) on every VM-exit.
3008	*/
3009	if (Gdtr.cbGdt != 0xffff)
3010	{
3011	pVCpu->hm.s.vmx.fRestoreHostFlags \|= VMX_RESTORE_HOST_GDTR;
3012	AssertCompile(sizeof(Gdtr) == sizeof(X86XDTR64));
3013	memcpy(&pVCpu->hm.s.vmx.RestoreHost.HostGdtr, &Gdtr, sizeof(X86XDTR64));
3014	}
3015
3016	/*
3017	* IDT limit is effectively capped at 0xfff. (See Intel spec. 6.14.1 "64-Bit Mode IDT"
3018	* and Intel spec. 6.2 "Exception and Interrupt Vectors".) Therefore if the host has the limit as 0xfff, VT-x
3019	* bloating the limit to 0xffff shouldn't cause any different CPU behavior. However, several hosts either insists
3020	* on 0xfff being the limit (Windows Patch Guard) or uses the limit for other purposes (darwin puts the CPU ID in there
3021	* but botches sidt alignment in at least one consumer). So, we're only allowing IDTR.LIMIT to be left at 0xffff on
3022	* hosts where we are pretty sure it won't cause trouble.
3023	*/
3024	# if defined(RT_OS_LINUX) \|\| defined(RT_OS_SOLARIS)
3025	if (Idtr.cbIdt < 0x0fff)
3026	# else
3027	if (Idtr.cbIdt != 0xffff)
3028	# endif
3029	{
3030	pVCpu->hm.s.vmx.fRestoreHostFlags \|= VMX_RESTORE_HOST_IDTR;
3031	AssertCompile(sizeof(Idtr) == sizeof(X86XDTR64));
3032	memcpy(&pVCpu->hm.s.vmx.RestoreHost.HostIdtr, &Idtr, sizeof(X86XDTR64));
3033	}
3034	#endif
3035
3036	/*
3037	* Host TR base. Verify that TR selector doesn't point past the GDT. Masking off the TI and RPL bits
3038	* is effectively what the CPU does for "scaling by 8". TI is always 0 and RPL should be too in most cases.
3039	*/
3040	AssertMsgReturn((uSelTR \| X86_SEL_RPL_LDT) <= Gdtr.cbGdt,
3041	("hmR0VmxSaveHostSegmentRegs: TR selector exceeds limit. TR=%RTsel cbGdt=%#x\n", uSelTR, Gdtr.cbGdt),
3042	VERR_VMX_INVALID_HOST_STATE);
3043
3044	PCX86DESCHC pDesc = (PCX86DESCHC)(Gdtr.pGdt + (uSelTR & X86_SEL_MASK));
3045	#if HC_ARCH_BITS == 64
3046	uintptr_t uTRBase = X86DESC64_BASE(pDesc);
3047
3048	/*
3049	* VT-x unconditionally restores the TR limit to 0x67 and type to 11 (32-bit busy TSS) on all VM-exits.
3050	* The type is the same for 64-bit busy TSS[1]. The limit needs manual restoration if the host has something else.
3051	* Task switching is not supported in 64-bit mode[2], but the limit still matters as IOPM is supported in 64-bit mode.
3052	* Restoring the limit lazily while returning to ring-3 is safe because IOPM is not applicable in ring-0.
3053	*
3054	* [1] See Intel spec. 3.5 "System Descriptor Types".
3055	* [2] See Intel spec. 7.2.3 "TSS Descriptor in 64-bit mode".
3056	*/
3057	Assert(pDesc->System.u4Type == 11);
3058	if ( pDesc->System.u16LimitLow != 0x67
3059	\|\| pDesc->System.u4LimitHigh)
3060	{
3061	pVCpu->hm.s.vmx.fRestoreHostFlags \|= VMX_RESTORE_HOST_SEL_TR;
3062	/* If the host has made GDT read-only, we would need to temporarily toggle CR0.WP before writing the GDT. */
3063	if (pVM->hm.s.fHostKernelFeatures & SUPKERNELFEATURES_GDT_READ_ONLY)
3064	pVCpu->hm.s.vmx.fRestoreHostFlags \|= VMX_RESTORE_HOST_GDT_READ_ONLY;
3065	pVCpu->hm.s.vmx.RestoreHost.uHostSelTR = uSelTR;
3066
3067	/* Store the GDTR here as we need it while restoring TR. */
3068	memcpy(&pVCpu->hm.s.vmx.RestoreHost.HostGdtr, &Gdtr, sizeof(X86XDTR64));
3069	}
3070	#else
3071	NOREF(pVM);
3072	uintptr_t uTRBase = X86DESC_BASE(pDesc);
3073	#endif
3074	rc = VMXWriteVmcsHstN(VMX_VMCS_HOST_TR_BASE, uTRBase);
3075	AssertRCReturn(rc, rc);
3076
3077	/*
3078	* Host FS base and GS base.
3079	*/
3080	#if HC_ARCH_BITS == 64
3081	uint64_t u64FSBase = ASMRdMsr(MSR_K8_FS_BASE);
3082	uint64_t u64GSBase = ASMRdMsr(MSR_K8_GS_BASE);
3083	rc = VMXWriteVmcs64(VMX_VMCS_HOST_FS_BASE, u64FSBase);
3084	rc \|= VMXWriteVmcs64(VMX_VMCS_HOST_GS_BASE, u64GSBase);
3085	AssertRCReturn(rc, rc);
3086
3087	/* Store the base if we have to restore FS or GS manually as we need to restore the base as well. */
3088	if (pVCpu->hm.s.vmx.fRestoreHostFlags & VMX_RESTORE_HOST_SEL_FS)
3089	pVCpu->hm.s.vmx.RestoreHost.uHostFSBase = u64FSBase;
3090	if (pVCpu->hm.s.vmx.fRestoreHostFlags & VMX_RESTORE_HOST_SEL_GS)
3091	pVCpu->hm.s.vmx.RestoreHost.uHostGSBase = u64GSBase;
3092	#endif
3093	return rc;
3094	}
3095
3096
3097	/**
3098	* Saves certain host MSRs in the VM-Exit MSR-load area and some in the
3099	* host-state area of the VMCS. Theses MSRs will be automatically restored on
3100	* the host after every successful VM-exit.
3101	*
3102	* @returns VBox status code.
3103	* @param pVM The cross context VM structure.
3104	* @param pVCpu The cross context virtual CPU structure.
3105	*
3106	* @remarks No-long-jump zone!!!
3107	*/
3108	DECLINLINE(int) hmR0VmxSaveHostMsrs(PVM pVM, PVMCPU pVCpu)
3109	{
3110	NOREF(pVM);
3111
3112	AssertPtr(pVCpu);
3113	AssertPtr(pVCpu->hm.s.vmx.pvHostMsr);
3114
3115	/*
3116	* Save MSRs that we restore lazily (due to preemption or transition to ring-3)
3117	* rather than swapping them on every VM-entry.
3118	*/
3119	hmR0VmxLazySaveHostMsrs(pVCpu);
3120
3121	/*
3122	* Host Sysenter MSRs.
3123	*/
3124	int rc = VMXWriteVmcs32(VMX_VMCS32_HOST_SYSENTER_CS, ASMRdMsr_Low(MSR_IA32_SYSENTER_CS));
3125	#if HC_ARCH_BITS == 32
3126	rc \|= VMXWriteVmcs32(VMX_VMCS_HOST_SYSENTER_ESP, ASMRdMsr_Low(MSR_IA32_SYSENTER_ESP));
3127	rc \|= VMXWriteVmcs32(VMX_VMCS_HOST_SYSENTER_EIP, ASMRdMsr_Low(MSR_IA32_SYSENTER_EIP));
3128	#else
3129	rc \|= VMXWriteVmcs64(VMX_VMCS_HOST_SYSENTER_ESP, ASMRdMsr(MSR_IA32_SYSENTER_ESP));
3130	rc \|= VMXWriteVmcs64(VMX_VMCS_HOST_SYSENTER_EIP, ASMRdMsr(MSR_IA32_SYSENTER_EIP));
3131	#endif
3132	AssertRCReturn(rc, rc);
3133
3134	/*
3135	* Host EFER MSR.
3136	* If the CPU supports the newer VMCS controls for managing EFER, use it.
3137	* Otherwise it's done as part of auto-load/store MSR area in the VMCS, see hmR0VmxLoadGuestMsrs().
3138	*/
3139	if (pVM->hm.s.vmx.fSupportsVmcsEfer)
3140	{
3141	rc = VMXWriteVmcs64(VMX_VMCS64_HOST_EFER_FULL, pVM->hm.s.vmx.u64HostEfer);
3142	AssertRCReturn(rc, rc);
3143	}
3144
3145	/** @todo IA32_PERF_GLOBALCTRL, IA32_PAT also see
3146	* hmR0VmxLoadGuestExitCtls() !! */
3147
3148	return rc;
3149	}
3150
3151
3152	/**
3153	* Figures out if we need to swap the EFER MSR which is particularly expensive.
3154	*
3155	* We check all relevant bits. For now, that's everything besides LMA/LME, as
3156	* these two bits are handled by VM-entry, see hmR0VmxLoadGuestExitCtls() and
3157	* hmR0VMxLoadGuestEntryCtls().
3158	*
3159	* @returns true if we need to load guest EFER, false otherwise.
3160	* @param pVCpu The cross context virtual CPU structure.
3161	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3162	* out-of-sync. Make sure to update the required fields
3163	* before using them.
3164	*
3165	* @remarks Requires EFER, CR4.
3166	* @remarks No-long-jump zone!!!
3167	*/
3168	static bool hmR0VmxShouldSwapEferMsr(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3169	{
3170	#ifdef HMVMX_ALWAYS_SWAP_EFER
3171	return true;
3172	#endif
3173
3174	#if HC_ARCH_BITS == 32 && defined(VBOX_ENABLE_64_BITS_GUESTS)
3175	/* For 32-bit hosts running 64-bit guests, we always swap EFER in the world-switcher. Nothing to do here. */
3176	if (CPUMIsGuestInLongMode(pVCpu))
3177	return false;
3178	#endif
3179
3180	PVM pVM = pVCpu->CTX_SUFF(pVM);
3181	uint64_t u64HostEfer = pVM->hm.s.vmx.u64HostEfer;
3182	uint64_t u64GuestEfer = pMixedCtx->msrEFER;
3183
3184	/*
3185	* For 64-bit guests, if EFER.SCE bit differs, we need to swap to ensure that the
3186	* guest's SYSCALL behaviour isn't screwed. See @bugref{7386}.
3187	*/
3188	if ( CPUMIsGuestInLongMode(pVCpu)
3189	&& (u64GuestEfer & MSR_K6_EFER_SCE) != (u64HostEfer & MSR_K6_EFER_SCE))
3190	{
3191	return true;
3192	}
3193
3194	/*
3195	* If the guest uses PAE and EFER.NXE bit differs, we need to swap EFER as it
3196	* affects guest paging. 64-bit paging implies CR4.PAE as well.
3197	* See Intel spec. 4.5 "IA-32e Paging" and Intel spec. 4.1.1 "Three Paging Modes".
3198	*/
3199	if ( (pMixedCtx->cr4 & X86_CR4_PAE)
3200	&& (pMixedCtx->cr0 & X86_CR0_PG)
3201	&& (u64GuestEfer & MSR_K6_EFER_NXE) != (u64HostEfer & MSR_K6_EFER_NXE))
3202	{
3203	/* Assert that host is PAE capable. */
3204	Assert(pVM->hm.s.cpuid.u32AMDFeatureEDX & X86_CPUID_EXT_FEATURE_EDX_NX);
3205	return true;
3206	}
3207
3208	/** @todo Check the latest Intel spec. for any other bits,
3209	* like SMEP/SMAP? */
3210	return false;
3211	}
3212
3213
3214	/**
3215	* Sets up VM-entry controls in the VMCS. These controls can affect things done
3216	* on VM-exit; e.g. "load debug controls", see Intel spec. 24.8.1 "VM-entry
3217	* controls".
3218	*
3219	* @returns VBox status code.
3220	* @param pVCpu The cross context virtual CPU structure.
3221	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3222	* out-of-sync. Make sure to update the required fields
3223	* before using them.
3224	*
3225	* @remarks Requires EFER.
3226	* @remarks No-long-jump zone!!!
3227	*/
3228	DECLINLINE(int) hmR0VmxLoadGuestEntryCtls(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3229	{
3230	int rc = VINF_SUCCESS;
3231	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_VMX_ENTRY_CTLS))
3232	{
3233	PVM pVM = pVCpu->CTX_SUFF(pVM);
3234	uint32_t val = pVM->hm.s.vmx.Msrs.VmxEntry.n.disallowed0; /* Bits set here must be set in the VMCS. */
3235	uint32_t zap = pVM->hm.s.vmx.Msrs.VmxEntry.n.allowed1; /* Bits cleared here must be cleared in the VMCS. */
3236
3237	/* Load debug controls (DR7 & IA32_DEBUGCTL_MSR). The first VT-x capable CPUs only supports the 1-setting of this bit. */
3238	val \|= VMX_VMCS_CTRL_ENTRY_LOAD_DEBUG;
3239
3240	/* Set if the guest is in long mode. This will set/clear the EFER.LMA bit on VM-entry. */
3241	if (CPUMIsGuestInLongModeEx(pMixedCtx))
3242	{
3243	val \|= VMX_VMCS_CTRL_ENTRY_IA32E_MODE_GUEST;
3244	Log4(("Load[%RU32]: VMX_VMCS_CTRL_ENTRY_IA32E_MODE_GUEST\n", pVCpu->idCpu));
3245	}
3246	else
3247	Assert(!(val & VMX_VMCS_CTRL_ENTRY_IA32E_MODE_GUEST));
3248
3249	/* If the CPU supports the newer VMCS controls for managing guest/host EFER, use it. */
3250	if ( pVM->hm.s.vmx.fSupportsVmcsEfer
3251	&& hmR0VmxShouldSwapEferMsr(pVCpu, pMixedCtx))
3252	{
3253	val \|= VMX_VMCS_CTRL_ENTRY_LOAD_GUEST_EFER_MSR;
3254	Log4(("Load[%RU32]: VMX_VMCS_CTRL_ENTRY_LOAD_GUEST_EFER_MSR\n", pVCpu->idCpu));
3255	}
3256
3257	/*
3258	* The following should -not- be set (since we're not in SMM mode):
3259	* - VMX_VMCS_CTRL_ENTRY_ENTRY_SMM
3260	* - VMX_VMCS_CTRL_ENTRY_DEACTIVATE_DUALMON
3261	*/
3262
3263	/** @todo VMX_VMCS_CTRL_ENTRY_LOAD_GUEST_PERF_MSR,
3264	* VMX_VMCS_CTRL_ENTRY_LOAD_GUEST_PAT_MSR. */
3265
3266	if ((val & zap) != val)
3267	{
3268	LogRel(("hmR0VmxLoadGuestEntryCtls: Invalid VM-entry controls combo! cpu=%RX64 val=%RX64 zap=%RX64\n",
3269	pVM->hm.s.vmx.Msrs.VmxEntry.n.disallowed0, val, zap));
3270	pVCpu->hm.s.u32HMError = VMX_UFC_CTRL_ENTRY;
3271	return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
3272	}
3273
3274	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_ENTRY, val);
3275	AssertRCReturn(rc, rc);
3276
3277	pVCpu->hm.s.vmx.u32EntryCtls = val;
3278	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_VMX_ENTRY_CTLS);
3279	}
3280	return rc;
3281	}
3282
3283
3284	/**
3285	* Sets up the VM-exit controls in the VMCS.
3286	*
3287	* @returns VBox status code.
3288	* @param pVCpu The cross context virtual CPU structure.
3289	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3290	* out-of-sync. Make sure to update the required fields
3291	* before using them.
3292	*
3293	* @remarks Requires EFER.
3294	*/
3295	DECLINLINE(int) hmR0VmxLoadGuestExitCtls(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3296	{
3297	NOREF(pMixedCtx);
3298
3299	int rc = VINF_SUCCESS;
3300	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_VMX_EXIT_CTLS))
3301	{
3302	PVM pVM = pVCpu->CTX_SUFF(pVM);
3303	uint32_t val = pVM->hm.s.vmx.Msrs.VmxExit.n.disallowed0; /* Bits set here must be set in the VMCS. */
3304	uint32_t zap = pVM->hm.s.vmx.Msrs.VmxExit.n.allowed1; /* Bits cleared here must be cleared in the VMCS. */
3305
3306	/* Save debug controls (DR7 & IA32_DEBUGCTL_MSR). The first VT-x CPUs only supported the 1-setting of this bit. */
3307	val \|= VMX_VMCS_CTRL_EXIT_SAVE_DEBUG;
3308
3309	/*
3310	* Set the host long mode active (EFER.LMA) bit (which Intel calls "Host address-space size") if necessary.
3311	* On VM-exit, VT-x sets both the host EFER.LMA and EFER.LME bit to this value. See assertion in hmR0VmxSaveHostMsrs().
3312	*/
3313	#if HC_ARCH_BITS == 64
3314	val \|= VMX_VMCS_CTRL_EXIT_HOST_ADDR_SPACE_SIZE;
3315	Log4(("Load[%RU32]: VMX_VMCS_CTRL_EXIT_HOST_ADDR_SPACE_SIZE\n", pVCpu->idCpu));
3316	#else
3317	if (CPUMIsGuestInLongModeEx(pMixedCtx))
3318	{
3319	/* The switcher returns to long mode, EFER is managed by the switcher. */
3320	val \|= VMX_VMCS_CTRL_EXIT_HOST_ADDR_SPACE_SIZE;
3321	Log4(("Load[%RU32]: VMX_VMCS_CTRL_EXIT_HOST_ADDR_SPACE_SIZE\n", pVCpu->idCpu));
3322	}
3323	else
3324	Assert(!(val & VMX_VMCS_CTRL_EXIT_HOST_ADDR_SPACE_SIZE));
3325	#endif
3326
3327	/* If the newer VMCS fields for managing EFER exists, use it. */
3328	if ( pVM->hm.s.vmx.fSupportsVmcsEfer
3329	&& hmR0VmxShouldSwapEferMsr(pVCpu, pMixedCtx))
3330	{
3331	val \|= VMX_VMCS_CTRL_EXIT_SAVE_GUEST_EFER_MSR
3332	\| VMX_VMCS_CTRL_EXIT_LOAD_HOST_EFER_MSR;
3333	Log4(("Load[%RU32]: VMX_VMCS_CTRL_EXIT_SAVE_GUEST_EFER_MSR, VMX_VMCS_CTRL_EXIT_LOAD_HOST_EFER_MSR\n", pVCpu->idCpu));
3334	}
3335
3336	/* Don't acknowledge external interrupts on VM-exit. We want to let the host do that. */
3337	Assert(!(val & VMX_VMCS_CTRL_EXIT_ACK_EXT_INT));
3338
3339	/** @todo VMX_VMCS_CTRL_EXIT_LOAD_PERF_MSR,
3340	* VMX_VMCS_CTRL_EXIT_SAVE_GUEST_PAT_MSR,
3341	* VMX_VMCS_CTRL_EXIT_LOAD_HOST_PAT_MSR. */
3342
3343	if ( pVM->hm.s.vmx.fUsePreemptTimer
3344	&& (pVM->hm.s.vmx.Msrs.VmxExit.n.allowed1 & VMX_VMCS_CTRL_EXIT_SAVE_VMX_PREEMPT_TIMER))
3345	val \|= VMX_VMCS_CTRL_EXIT_SAVE_VMX_PREEMPT_TIMER;
3346
3347	if ((val & zap) != val)
3348	{
3349	LogRel(("hmR0VmxSetupProcCtls: Invalid VM-exit controls combo! cpu=%RX64 val=%RX64 zap=%RX64\n",
3350	pVM->hm.s.vmx.Msrs.VmxExit.n.disallowed0, val, zap));
3351	pVCpu->hm.s.u32HMError = VMX_UFC_CTRL_EXIT;
3352	return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
3353	}
3354
3355	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_EXIT, val);
3356	AssertRCReturn(rc, rc);
3357
3358	pVCpu->hm.s.vmx.u32ExitCtls = val;
3359	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_VMX_EXIT_CTLS);
3360	}
3361	return rc;
3362	}
3363
3364
3365	/**
3366	* Sets the TPR threshold in the VMCS.
3367	*
3368	* @returns VBox status code.
3369	* @param pVCpu The cross context virtual CPU structure.
3370	* @param u32TprThreshold The TPR threshold (task-priority class only).
3371	*/
3372	DECLINLINE(int) hmR0VmxApicSetTprThreshold(PVMCPU pVCpu, uint32_t u32TprThreshold)
3373	{
3374	Assert(!(u32TprThreshold & 0xfffffff0)); /* Bits 31:4 MBZ. */
3375	Assert(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_TPR_SHADOW);
3376	return VMXWriteVmcs32(VMX_VMCS32_CTRL_TPR_THRESHOLD, u32TprThreshold);
3377	}
3378
3379
3380	/**
3381	* Loads the guest APIC and related state.
3382	*
3383	* @returns VBox status code.
3384	* @param pVCpu The cross context virtual CPU structure.
3385	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3386	* out-of-sync. Make sure to update the required fields
3387	* before using them.
3388	*/
3389	DECLINLINE(int) hmR0VmxLoadGuestApicState(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3390	{
3391	NOREF(pMixedCtx);
3392
3393	int rc = VINF_SUCCESS;
3394	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_VMX_GUEST_APIC_STATE))
3395	{
3396	/* Setup TPR shadowing. Also setup TPR patching for 32-bit guests. */
3397	if (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_TPR_SHADOW)
3398	{
3399	Assert(pVCpu->hm.s.vmx.HCPhysVirtApic);
3400
3401	bool fPendingIntr = false;
3402	uint8_t u8Tpr = 0;
3403	uint8_t u8PendingIntr = 0;
3404	rc = PDMApicGetTPR(pVCpu, &u8Tpr, &fPendingIntr, &u8PendingIntr);
3405	AssertRCReturn(rc, rc);
3406
3407	/*
3408	* If there are external interrupts pending but masked by the TPR value, instruct VT-x to cause a VM-exit when
3409	* the guest lowers its TPR below the highest-priority pending interrupt and we can deliver the interrupt.
3410	* If there are no external interrupts pending, set threshold to 0 to not cause a VM-exit. We will eventually deliver
3411	* the interrupt when we VM-exit for other reasons.
3412	*/
3413	pVCpu->hm.s.vmx.pbVirtApic[0x80] = u8Tpr; /* Offset 0x80 is TPR in the APIC MMIO range. */
3414	uint32_t u32TprThreshold = 0;
3415	if (fPendingIntr)
3416	{
3417	/* Bits 3:0 of the TPR threshold field correspond to bits 7:4 of the TPR (which is the Task-Priority Class). */
3418	const uint8_t u8PendingPriority = (u8PendingIntr >> 4) & 0xf;
3419	const uint8_t u8TprPriority = (u8Tpr >> 4) & 0xf;
3420	if (u8PendingPriority <= u8TprPriority)
3421	u32TprThreshold = u8PendingPriority;
3422	else
3423	u32TprThreshold = u8TprPriority; /* Required for Vista 64-bit guest, see @bugref{6398}. */
3424	}
3425
3426	rc = hmR0VmxApicSetTprThreshold(pVCpu, u32TprThreshold);
3427	AssertRCReturn(rc, rc);
3428	}
3429
3430	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_VMX_GUEST_APIC_STATE);
3431	}
3432	return rc;
3433	}
3434
3435
3436	/**
3437	* Gets the guest's interruptibility-state ("interrupt shadow" as AMD calls it).
3438	*
3439	* @returns Guest's interruptibility-state.
3440	* @param pVCpu The cross context virtual CPU structure.
3441	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3442	* out-of-sync. Make sure to update the required fields
3443	* before using them.
3444	*
3445	* @remarks No-long-jump zone!!!
3446	*/
3447	DECLINLINE(uint32_t) hmR0VmxGetGuestIntrState(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3448	{
3449	/*
3450	* Check if we should inhibit interrupt delivery due to instructions like STI and MOV SS.
3451	*/
3452	uint32_t uIntrState = 0;
3453	if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_INHIBIT_INTERRUPTS))
3454	{
3455	/* If inhibition is active, RIP & RFLAGS should've been accessed (i.e. read previously from the VMCS or from ring-3). */
3456	AssertMsg(HMVMXCPU_GST_IS_SET(pVCpu, HMVMX_UPDATED_GUEST_RIP \| HMVMX_UPDATED_GUEST_RFLAGS),
3457	("%#x\n", HMVMXCPU_GST_VALUE(pVCpu)));
3458	if (pMixedCtx->rip == EMGetInhibitInterruptsPC(pVCpu))
3459	{
3460	if (pMixedCtx->eflags.Bits.u1IF)
3461	uIntrState = VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI;
3462	else
3463	uIntrState = VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_MOVSS;
3464	}
3465	else if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_INHIBIT_INTERRUPTS))
3466	{
3467	/*
3468	* We can clear the inhibit force flag as even if we go back to the recompiler without executing guest code in
3469	* VT-x, the flag's condition to be cleared is met and thus the cleared state is correct.
3470	*/
3471	VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_INHIBIT_INTERRUPTS);
3472	}
3473	}
3474
3475	/*
3476	* NMIs to the guest are blocked after an NMI is injected until the guest executes an IRET. We only
3477	* bother with virtual-NMI blocking when we have support for virtual NMIs in the CPU, otherwise
3478	* setting this would block host-NMIs and IRET will not clear the blocking.
3479	*
3480	* See Intel spec. 26.6.1 "Interruptibility state". See @bugref{7445}.
3481	*/
3482	if ( VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_BLOCK_NMIS)
3483	&& (pVCpu->hm.s.vmx.u32PinCtls & VMX_VMCS_CTRL_PIN_EXEC_VIRTUAL_NMI))
3484	{
3485	uIntrState \|= VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_NMI;
3486	}
3487
3488	return uIntrState;
3489	}
3490
3491
3492	/**
3493	* Loads the guest's interruptibility-state into the guest-state area in the
3494	* VMCS.
3495	*
3496	* @returns VBox status code.
3497	* @param pVCpu The cross context virtual CPU structure.
3498	* @param uIntrState The interruptibility-state to set.
3499	*/
3500	static int hmR0VmxLoadGuestIntrState(PVMCPU pVCpu, uint32_t uIntrState)
3501	{
3502	NOREF(pVCpu);
3503	AssertMsg(!(uIntrState & 0xfffffff0), ("%#x\n", uIntrState)); /* Bits 31:4 MBZ. */
3504	Assert((uIntrState & 0x3) != 0x3); /* Block-by-STI and MOV SS cannot be simultaneously set. */
3505	int rc = VMXWriteVmcs32(VMX_VMCS32_GUEST_INTERRUPTIBILITY_STATE, uIntrState);
3506	AssertRC(rc);
3507	return rc;
3508	}
3509
3510
3511	/**
3512	* Loads the exception intercepts required for guest execution in the VMCS.
3513	*
3514	* @returns VBox status code.
3515	* @param pVCpu The cross context virtual CPU structure.
3516	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3517	* out-of-sync. Make sure to update the required fields
3518	* before using them.
3519	*/
3520	static int hmR0VmxLoadGuestXcptIntercepts(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3521	{
3522	NOREF(pMixedCtx);
3523	int rc = VINF_SUCCESS;
3524	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_XCPT_INTERCEPTS))
3525	{
3526	/* The remaining exception intercepts are handled elsewhere, e.g. in hmR0VmxLoadSharedCR0(). */
3527	if (pVCpu->hm.s.fGIMTrapXcptUD)
3528	pVCpu->hm.s.vmx.u32XcptBitmap \|= RT_BIT(X86_XCPT_UD);
3529	#ifndef HMVMX_ALWAYS_TRAP_ALL_XCPTS
3530	else
3531	pVCpu->hm.s.vmx.u32XcptBitmap &= ~RT_BIT(X86_XCPT_UD);
3532	#endif
3533
3534	Assert(pVCpu->hm.s.vmx.u32XcptBitmap & RT_BIT_32(X86_XCPT_AC));
3535	Assert(pVCpu->hm.s.vmx.u32XcptBitmap & RT_BIT_32(X86_XCPT_DB));
3536
3537	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_EXCEPTION_BITMAP, pVCpu->hm.s.vmx.u32XcptBitmap);
3538	AssertRCReturn(rc, rc);
3539
3540	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_XCPT_INTERCEPTS);
3541	Log4(("Load[%RU32]: VMX_VMCS32_CTRL_EXCEPTION_BITMAP=%#RX64 fContextUseFlags=%#RX32\n", pVCpu->idCpu,
3542	pVCpu->hm.s.vmx.u32XcptBitmap, HMCPU_CF_VALUE(pVCpu)));
3543	}
3544	return rc;
3545	}
3546
3547
3548	/**
3549	* Loads the guest's RIP into the guest-state area in the VMCS.
3550	*
3551	* @returns VBox status code.
3552	* @param pVCpu The cross context virtual CPU structure.
3553	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3554	* out-of-sync. Make sure to update the required fields
3555	* before using them.
3556	*
3557	* @remarks No-long-jump zone!!!
3558	*/
3559	static int hmR0VmxLoadGuestRip(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3560	{
3561	int rc = VINF_SUCCESS;
3562	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_RIP))
3563	{
3564	rc = VMXWriteVmcsGstN(VMX_VMCS_GUEST_RIP, pMixedCtx->rip);
3565	AssertRCReturn(rc, rc);
3566
3567	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_RIP);
3568	Log4(("Load[%RU32]: VMX_VMCS_GUEST_RIP=%#RX64 fContextUseFlags=%#RX32\n", pVCpu->idCpu, pMixedCtx->rip,
3569	HMCPU_CF_VALUE(pVCpu)));
3570	}
3571	return rc;
3572	}
3573
3574
3575	/**
3576	* Loads the guest's RSP into the guest-state area in the VMCS.
3577	*
3578	* @returns VBox status code.
3579	* @param pVCpu The cross context virtual CPU structure.
3580	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3581	* out-of-sync. Make sure to update the required fields
3582	* before using them.
3583	*
3584	* @remarks No-long-jump zone!!!
3585	*/
3586	static int hmR0VmxLoadGuestRsp(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3587	{
3588	int rc = VINF_SUCCESS;
3589	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_RSP))
3590	{
3591	rc = VMXWriteVmcsGstN(VMX_VMCS_GUEST_RSP, pMixedCtx->rsp);
3592	AssertRCReturn(rc, rc);
3593
3594	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_RSP);
3595	Log4(("Load[%RU32]: VMX_VMCS_GUEST_RSP=%#RX64\n", pVCpu->idCpu, pMixedCtx->rsp));
3596	}
3597	return rc;
3598	}
3599
3600
3601	/**
3602	* Loads the guest's RFLAGS into the guest-state area in the VMCS.
3603	*
3604	* @returns VBox status code.
3605	* @param pVCpu The cross context virtual CPU structure.
3606	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3607	* out-of-sync. Make sure to update the required fields
3608	* before using them.
3609	*
3610	* @remarks No-long-jump zone!!!
3611	*/
3612	static int hmR0VmxLoadGuestRflags(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3613	{
3614	int rc = VINF_SUCCESS;
3615	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_RFLAGS))
3616	{
3617	/* Intel spec. 2.3.1 "System Flags and Fields in IA-32e Mode" claims the upper 32-bits of RFLAGS are reserved (MBZ).
3618	Let us assert it as such and use 32-bit VMWRITE. */
3619	Assert(!(pMixedCtx->rflags.u64 >> 32));
3620	X86EFLAGS Eflags = pMixedCtx->eflags;
3621	/** @todo r=bird: There shall be no need to OR in X86_EFL_1 here, nor
3622	* shall there be any reason for clearing bits 63:22, 15, 5 and 3.
3623	* These will never be cleared/set, unless some other part of the VMM
3624	* code is buggy - in which case we're better of finding and fixing
3625	* those bugs than hiding them. */
3626	Assert(Eflags.u32 & X86_EFL_RA1_MASK);
3627	Assert(!(Eflags.u32 & ~(X86_EFL_1 \| X86_EFL_LIVE_MASK)));
3628	Eflags.u32 &= VMX_EFLAGS_RESERVED_0; /* Bits 22-31, 15, 5 & 3 MBZ. */
3629	Eflags.u32 \|= VMX_EFLAGS_RESERVED_1; /* Bit 1 MB1. */
3630
3631	/*
3632	* If we're emulating real-mode using Virtual 8086 mode, save the real-mode eflags so we can restore them on VM-exit.
3633	* Modify the real-mode guest's eflags so that VT-x can run the real-mode guest code under Virtual 8086 mode.
3634	*/
3635	if (pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
3636	{
3637	Assert(pVCpu->CTX_SUFF(pVM)->hm.s.vmx.pRealModeTSS);
3638	Assert(PDMVmmDevHeapIsEnabled(pVCpu->CTX_SUFF(pVM)));
3639	pVCpu->hm.s.vmx.RealMode.Eflags.u32 = Eflags.u32; /* Save the original eflags of the real-mode guest. */
3640	Eflags.Bits.u1VM = 1; /* Set the Virtual 8086 mode bit. */
3641	Eflags.Bits.u2IOPL = 0; /* Change IOPL to 0, otherwise certain instructions won't fault. */
3642	}
3643
3644	rc = VMXWriteVmcs32(VMX_VMCS_GUEST_RFLAGS, Eflags.u32);
3645	AssertRCReturn(rc, rc);
3646
3647	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_RFLAGS);
3648	Log4(("Load[%RU32]: VMX_VMCS_GUEST_RFLAGS=%#RX32\n", pVCpu->idCpu, Eflags.u32));
3649	}
3650	return rc;
3651	}
3652
3653
3654	/**
3655	* Loads the guest RIP, RSP and RFLAGS into the guest-state area in the VMCS.
3656	*
3657	* @returns VBox status code.
3658	* @param pVCpu The cross context virtual CPU structure.
3659	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3660	* out-of-sync. Make sure to update the required fields
3661	* before using them.
3662	*
3663	* @remarks No-long-jump zone!!!
3664	*/
3665	DECLINLINE(int) hmR0VmxLoadGuestRipRspRflags(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3666	{
3667	int rc = hmR0VmxLoadGuestRip(pVCpu, pMixedCtx);
3668	rc \|= hmR0VmxLoadGuestRsp(pVCpu, pMixedCtx);
3669	rc \|= hmR0VmxLoadGuestRflags(pVCpu, pMixedCtx);
3670	AssertRCReturn(rc, rc);
3671	return rc;
3672	}
3673
3674
3675	/**
3676	* Loads the guest CR0 control register into the guest-state area in the VMCS.
3677	* CR0 is partially shared with the host and we have to consider the FPU bits.
3678	*
3679	* @returns VBox status code.
3680	* @param pVCpu The cross context virtual CPU structure.
3681	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3682	* out-of-sync. Make sure to update the required fields
3683	* before using them.
3684	*
3685	* @remarks No-long-jump zone!!!
3686	*/
3687	static int hmR0VmxLoadSharedCR0(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3688	{
3689	/*
3690	* Guest CR0.
3691	* Guest FPU.
3692	*/
3693	int rc = VINF_SUCCESS;
3694	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_CR0))
3695	{
3696	Assert(!(pMixedCtx->cr0 >> 32));
3697	uint32_t u32GuestCR0 = pMixedCtx->cr0;
3698	PVM pVM = pVCpu->CTX_SUFF(pVM);
3699
3700	/* The guest's view (read access) of its CR0 is unblemished. */
3701	rc = VMXWriteVmcs32(VMX_VMCS_CTRL_CR0_READ_SHADOW, u32GuestCR0);
3702	AssertRCReturn(rc, rc);
3703	Log4(("Load[%RU32]: VMX_VMCS_CTRL_CR0_READ_SHADOW=%#RX32\n", pVCpu->idCpu, u32GuestCR0));
3704
3705	/* Setup VT-x's view of the guest CR0. */
3706	/* Minimize VM-exits due to CR3 changes when we have NestedPaging. */
3707	if (pVM->hm.s.fNestedPaging)
3708	{
3709	if (CPUMIsGuestPagingEnabledEx(pMixedCtx))
3710	{
3711	/* The guest has paging enabled, let it access CR3 without causing a VM-exit if supported. */
3712	pVCpu->hm.s.vmx.u32ProcCtls &= ~( VMX_VMCS_CTRL_PROC_EXEC_CR3_LOAD_EXIT
3713	\| VMX_VMCS_CTRL_PROC_EXEC_CR3_STORE_EXIT);
3714	}
3715	else
3716	{
3717	/* The guest doesn't have paging enabled, make CR3 access cause a VM-exit to update our shadow. */
3718	pVCpu->hm.s.vmx.u32ProcCtls \|= VMX_VMCS_CTRL_PROC_EXEC_CR3_LOAD_EXIT
3719	\| VMX_VMCS_CTRL_PROC_EXEC_CR3_STORE_EXIT;
3720	}
3721
3722	/* If we have unrestricted guest execution, we never have to intercept CR3 reads. */
3723	if (pVM->hm.s.vmx.fUnrestrictedGuest)
3724	pVCpu->hm.s.vmx.u32ProcCtls &= ~VMX_VMCS_CTRL_PROC_EXEC_CR3_STORE_EXIT;
3725
3726	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls);
3727	AssertRCReturn(rc, rc);
3728	}
3729	else
3730	u32GuestCR0 \|= X86_CR0_WP; /* Guest CPL 0 writes to its read-only pages should cause a #PF VM-exit. */
3731
3732	/*
3733	* Guest FPU bits.
3734	* Intel spec. 23.8 "Restrictions on VMX operation" mentions that CR0.NE bit must always be set on the first
3735	* CPUs to support VT-x and no mention of with regards to UX in VM-entry checks.
3736	*/
3737	u32GuestCR0 \|= X86_CR0_NE;
3738	bool fInterceptNM = false;
3739	if (CPUMIsGuestFPUStateActive(pVCpu))
3740	{
3741	fInterceptNM = false; /* Guest FPU active, no need to VM-exit on #NM. */
3742	/* The guest should still get #NM exceptions when it expects it to, so we should not clear TS & MP bits here.
3743	We're only concerned about -us- not intercepting #NMs when the guest-FPU is active. Not the guest itself! */
3744	}
3745	else
3746	{
3747	fInterceptNM = true; /* Guest FPU inactive, VM-exit on #NM for lazy FPU loading. */
3748	u32GuestCR0 \|= X86_CR0_TS /* Guest can task switch quickly and do lazy FPU syncing. */
3749	\| X86_CR0_MP; /* FWAIT/WAIT should not ignore CR0.TS and should generate #NM. */
3750	}
3751
3752	/* Catch floating point exceptions if we need to report them to the guest in a different way. */
3753	bool fInterceptMF = false;
3754	if (!(pMixedCtx->cr0 & X86_CR0_NE))
3755	fInterceptMF = true;
3756
3757	/* Finally, intercept all exceptions as we cannot directly inject them in real-mode, see hmR0VmxInjectEventVmcs(). */
3758	if (pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
3759	{
3760	Assert(PDMVmmDevHeapIsEnabled(pVM));
3761	Assert(pVM->hm.s.vmx.pRealModeTSS);
3762	pVCpu->hm.s.vmx.u32XcptBitmap \|= HMVMX_REAL_MODE_XCPT_MASK;
3763	fInterceptNM = true;
3764	fInterceptMF = true;
3765	}
3766	else
3767	{
3768	/* For now, cleared here as mode-switches can happen outside HM/VT-x. See @bugref{7626#c11}. */
3769	pVCpu->hm.s.vmx.u32XcptBitmap &= ~HMVMX_REAL_MODE_XCPT_MASK;
3770	}
3771	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_XCPT_INTERCEPTS);
3772
3773	if (fInterceptNM)
3774	pVCpu->hm.s.vmx.u32XcptBitmap \|= RT_BIT(X86_XCPT_NM);
3775	else
3776	pVCpu->hm.s.vmx.u32XcptBitmap &= ~RT_BIT(X86_XCPT_NM);
3777
3778	if (fInterceptMF)
3779	pVCpu->hm.s.vmx.u32XcptBitmap \|= RT_BIT(X86_XCPT_MF);
3780	else
3781	pVCpu->hm.s.vmx.u32XcptBitmap &= ~RT_BIT(X86_XCPT_MF);
3782
3783	/* Additional intercepts for debugging, define these yourself explicitly. */
3784	#ifdef HMVMX_ALWAYS_TRAP_ALL_XCPTS
3785	pVCpu->hm.s.vmx.u32XcptBitmap \|= 0
3786	\| RT_BIT(X86_XCPT_BP)
3787	\| RT_BIT(X86_XCPT_DE)
3788	\| RT_BIT(X86_XCPT_NM)
3789	\| RT_BIT(X86_XCPT_TS)
3790	\| RT_BIT(X86_XCPT_UD)
3791	\| RT_BIT(X86_XCPT_NP)
3792	\| RT_BIT(X86_XCPT_SS)
3793	\| RT_BIT(X86_XCPT_GP)
3794	\| RT_BIT(X86_XCPT_PF)
3795	\| RT_BIT(X86_XCPT_MF)
3796	;
3797	#elif defined(HMVMX_ALWAYS_TRAP_PF)
3798	pVCpu->hm.s.vmx.u32XcptBitmap \|= RT_BIT(X86_XCPT_PF);
3799	#endif
3800
3801	Assert(pVM->hm.s.fNestedPaging \|\| (pVCpu->hm.s.vmx.u32XcptBitmap & RT_BIT(X86_XCPT_PF)));
3802
3803	/* Set/clear the CR0 specific bits along with their exceptions (PE, PG, CD, NW). */
3804	uint32_t uSetCR0 = (uint32_t)(pVM->hm.s.vmx.Msrs.u64Cr0Fixed0 & pVM->hm.s.vmx.Msrs.u64Cr0Fixed1);
3805	uint32_t uZapCR0 = (uint32_t)(pVM->hm.s.vmx.Msrs.u64Cr0Fixed0 \| pVM->hm.s.vmx.Msrs.u64Cr0Fixed1);
3806	if (pVM->hm.s.vmx.fUnrestrictedGuest) /* Exceptions for unrestricted-guests for fixed CR0 bits (PE, PG). */
3807	uSetCR0 &= ~(X86_CR0_PE \| X86_CR0_PG);
3808	else
3809	Assert((uSetCR0 & (X86_CR0_PE \| X86_CR0_PG)) == (X86_CR0_PE \| X86_CR0_PG));
3810
3811	u32GuestCR0 \|= uSetCR0;
3812	u32GuestCR0 &= uZapCR0;
3813	u32GuestCR0 &= ~(X86_CR0_CD \| X86_CR0_NW); /* Always enable caching. */
3814
3815	/* Write VT-x's view of the guest CR0 into the VMCS. */
3816	rc = VMXWriteVmcs32(VMX_VMCS_GUEST_CR0, u32GuestCR0);
3817	AssertRCReturn(rc, rc);
3818	Log4(("Load[%RU32]: VMX_VMCS_GUEST_CR0=%#RX32 (uSetCR0=%#RX32 uZapCR0=%#RX32)\n", pVCpu->idCpu, u32GuestCR0, uSetCR0,
3819	uZapCR0));
3820
3821	/*
3822	* CR0 is shared between host and guest along with a CR0 read shadow. Therefore, certain bits must not be changed
3823	* by the guest because VT-x ignores saving/restoring them (namely CD, ET, NW) and for certain other bits
3824	* we want to be notified immediately of guest CR0 changes (e.g. PG to update our shadow page tables).
3825	*/
3826	uint32_t u32CR0Mask = 0;
3827	u32CR0Mask = X86_CR0_PE
3828	\| X86_CR0_NE
3829	\| X86_CR0_WP
3830	\| X86_CR0_PG
3831	\| X86_CR0_ET /* Bit ignored on VM-entry and VM-exit. Don't let the guest modify the host CR0.ET */
3832	\| X86_CR0_CD /* Bit ignored on VM-entry and VM-exit. Don't let the guest modify the host CR0.CD */
3833	\| X86_CR0_NW; /* Bit ignored on VM-entry and VM-exit. Don't let the guest modify the host CR0.NW */
3834
3835	/** @todo Avoid intercepting CR0.PE with unrestricted guests. Fix PGM
3836	* enmGuestMode to be in-sync with the current mode. See @bugref{6398}
3837	* and @bugref{6944}. */
3838	#if 0
3839	if (pVM->hm.s.vmx.fUnrestrictedGuest)
3840	u32CR0Mask &= ~X86_CR0_PE;
3841	#endif
3842	if (pVM->hm.s.fNestedPaging)
3843	u32CR0Mask &= ~X86_CR0_WP;
3844
3845	/* If the guest FPU state is active, don't need to VM-exit on writes to FPU related bits in CR0. */
3846	if (fInterceptNM)
3847	{
3848	u32CR0Mask \|= X86_CR0_TS
3849	\| X86_CR0_MP;
3850	}
3851
3852	/* Write the CR0 mask into the VMCS and update the VCPU's copy of the current CR0 mask. */
3853	pVCpu->hm.s.vmx.u32CR0Mask = u32CR0Mask;
3854	rc = VMXWriteVmcs32(VMX_VMCS_CTRL_CR0_MASK, u32CR0Mask);
3855	AssertRCReturn(rc, rc);
3856	Log4(("Load[%RU32]: VMX_VMCS_CTRL_CR0_MASK=%#RX32\n", pVCpu->idCpu, u32CR0Mask));
3857
3858	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_CR0);
3859	}
3860	return rc;
3861	}
3862
3863
3864	/**
3865	* Loads the guest control registers (CR3, CR4) into the guest-state area
3866	* in the VMCS.
3867	*
3868	* @returns VBox strict status code.
3869	* @retval VINF_EM_RESCHEDULE_REM if we try to emulate non-paged guest code
3870	* without unrestricted guest access and the VMMDev is not presently
3871	* mapped (e.g. EFI32).
3872	*
3873	* @param pVCpu The cross context virtual CPU structure.
3874	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3875	* out-of-sync. Make sure to update the required fields
3876	* before using them.
3877	*
3878	* @remarks No-long-jump zone!!!
3879	*/
3880	static VBOXSTRICTRC hmR0VmxLoadGuestCR3AndCR4(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3881	{
3882	int rc = VINF_SUCCESS;
3883	PVM pVM = pVCpu->CTX_SUFF(pVM);
3884
3885	/*
3886	* Guest CR2.
3887	* It's always loaded in the assembler code. Nothing to do here.
3888	*/
3889
3890	/*
3891	* Guest CR3.
3892	*/
3893	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_CR3))
3894	{
3895	RTGCPHYS GCPhysGuestCR3 = NIL_RTGCPHYS;
3896	if (pVM->hm.s.fNestedPaging)
3897	{
3898	pVCpu->hm.s.vmx.HCPhysEPTP = PGMGetHyperCR3(pVCpu);
3899
3900	/* Validate. See Intel spec. 28.2.2 "EPT Translation Mechanism" and 24.6.11 "Extended-Page-Table Pointer (EPTP)" */
3901	Assert(pVCpu->hm.s.vmx.HCPhysEPTP);
3902	Assert(!(pVCpu->hm.s.vmx.HCPhysEPTP & UINT64_C(0xfff0000000000000)));
3903	Assert(!(pVCpu->hm.s.vmx.HCPhysEPTP & 0xfff));
3904
3905	/* VMX_EPT_MEMTYPE_WB support is already checked in hmR0VmxSetupTaggedTlb(). */
3906	pVCpu->hm.s.vmx.HCPhysEPTP \|= VMX_EPT_MEMTYPE_WB
3907	\| (VMX_EPT_PAGE_WALK_LENGTH_DEFAULT << VMX_EPT_PAGE_WALK_LENGTH_SHIFT);
3908
3909	/* Validate. See Intel spec. 26.2.1 "Checks on VMX Controls" */
3910	AssertMsg( ((pVCpu->hm.s.vmx.HCPhysEPTP >> 3) & 0x07) == 3 /* Bits 3:5 (EPT page walk length - 1) must be 3. */
3911	&& ((pVCpu->hm.s.vmx.HCPhysEPTP >> 7) & 0x1f) == 0, /* Bits 7:11 MBZ. */
3912	("EPTP %#RX64\n", pVCpu->hm.s.vmx.HCPhysEPTP));
3913	AssertMsg( !((pVCpu->hm.s.vmx.HCPhysEPTP >> 6) & 0x01) /* Bit 6 (EPT accessed & dirty bit). */
3914	\|\| (pVM->hm.s.vmx.Msrs.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_EPT_ACCESS_DIRTY),
3915	("EPTP accessed/dirty bit not supported by CPU but set %#RX64\n", pVCpu->hm.s.vmx.HCPhysEPTP));
3916
3917	rc = VMXWriteVmcs64(VMX_VMCS64_CTRL_EPTP_FULL, pVCpu->hm.s.vmx.HCPhysEPTP);
3918	AssertRCReturn(rc, rc);
3919	Log4(("Load[%RU32]: VMX_VMCS64_CTRL_EPTP_FULL=%#RX64\n", pVCpu->idCpu, pVCpu->hm.s.vmx.HCPhysEPTP));
3920
3921	if ( pVM->hm.s.vmx.fUnrestrictedGuest
3922	\|\| CPUMIsGuestPagingEnabledEx(pMixedCtx))
3923	{
3924	/* If the guest is in PAE mode, pass the PDPEs to VT-x using the VMCS fields. */
3925	if (CPUMIsGuestInPAEModeEx(pMixedCtx))
3926	{
3927	rc = PGMGstGetPaePdpes(pVCpu, &pVCpu->hm.s.aPdpes[0]);
3928	AssertRCReturn(rc, rc);
3929	rc = VMXWriteVmcs64(VMX_VMCS64_GUEST_PDPTE0_FULL, pVCpu->hm.s.aPdpes[0].u);
3930	rc \|= VMXWriteVmcs64(VMX_VMCS64_GUEST_PDPTE1_FULL, pVCpu->hm.s.aPdpes[1].u);
3931	rc \|= VMXWriteVmcs64(VMX_VMCS64_GUEST_PDPTE2_FULL, pVCpu->hm.s.aPdpes[2].u);
3932	rc \|= VMXWriteVmcs64(VMX_VMCS64_GUEST_PDPTE3_FULL, pVCpu->hm.s.aPdpes[3].u);
3933	AssertRCReturn(rc, rc);
3934	}
3935
3936	/* The guest's view of its CR3 is unblemished with Nested Paging when the guest is using paging or we
3937	have Unrestricted Execution to handle the guest when it's not using paging. */
3938	GCPhysGuestCR3 = pMixedCtx->cr3;
3939	}
3940	else
3941	{
3942	/*
3943	* The guest is not using paging, but the CPU (VT-x) has to. While the guest thinks it accesses physical memory
3944	* directly, we use our identity-mapped page table to map guest-linear to guest-physical addresses.
3945	* EPT takes care of translating it to host-physical addresses.
3946	*/
3947	RTGCPHYS GCPhys;
3948	Assert(pVM->hm.s.vmx.pNonPagingModeEPTPageTable);
3949
3950	/* We obtain it here every time as the guest could have relocated this PCI region. */
3951	rc = PDMVmmDevHeapR3ToGCPhys(pVM, pVM->hm.s.vmx.pNonPagingModeEPTPageTable, &GCPhys);
3952	if (RT_SUCCESS(rc))
3953	{ /* likely */ }
3954	else if (rc == VERR_PDM_DEV_HEAP_R3_TO_GCPHYS)
3955	{
3956	Log4(("Load[%RU32]: VERR_PDM_DEV_HEAP_R3_TO_GCPHYS -> VINF_EM_RESCHEDULE_REM\n", pVCpu->idCpu));
3957	return VINF_EM_RESCHEDULE_REM; /* We cannot execute now, switch to REM/IEM till the guest maps in VMMDev. */
3958	}
3959	else
3960	AssertMsgFailedReturn(("%Rrc\n", rc), rc);
3961
3962	GCPhysGuestCR3 = GCPhys;
3963	}
3964
3965	Log4(("Load[%RU32]: VMX_VMCS_GUEST_CR3=%#RGp (GstN)\n", pVCpu->idCpu, GCPhysGuestCR3));
3966	rc = VMXWriteVmcsGstN(VMX_VMCS_GUEST_CR3, GCPhysGuestCR3);
3967	}
3968	else
3969	{
3970	/* Non-nested paging case, just use the hypervisor's CR3. */
3971	RTHCPHYS HCPhysGuestCR3 = PGMGetHyperCR3(pVCpu);
3972
3973	Log4(("Load[%RU32]: VMX_VMCS_GUEST_CR3=%#RHv (HstN)\n", pVCpu->idCpu, HCPhysGuestCR3));
3974	rc = VMXWriteVmcsHstN(VMX_VMCS_GUEST_CR3, HCPhysGuestCR3);
3975	}
3976	AssertRCReturn(rc, rc);
3977
3978	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_CR3);
3979	}
3980
3981	/*
3982	* Guest CR4.
3983	* ASSUMES this is done everytime we get in from ring-3! (XCR0)
3984	*/
3985	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_CR4))
3986	{
3987	Assert(!(pMixedCtx->cr4 >> 32));
3988	uint32_t u32GuestCR4 = pMixedCtx->cr4;
3989
3990	/* The guest's view of its CR4 is unblemished. */
3991	rc = VMXWriteVmcs32(VMX_VMCS_CTRL_CR4_READ_SHADOW, u32GuestCR4);
3992	AssertRCReturn(rc, rc);
3993	Log4(("Load[%RU32]: VMX_VMCS_CTRL_CR4_READ_SHADOW=%#RX32\n", pVCpu->idCpu, u32GuestCR4));
3994
3995	/* Setup VT-x's view of the guest CR4. */
3996	/*
3997	* If we're emulating real-mode using virtual-8086 mode, we want to redirect software interrupts to the 8086 program
3998	* interrupt handler. Clear the VME bit (the interrupt redirection bitmap is already all 0, see hmR3InitFinalizeR0())
3999	* See Intel spec. 20.2 "Software Interrupt Handling Methods While in Virtual-8086 Mode".
4000	*/
4001	if (pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
4002	{
4003	Assert(pVM->hm.s.vmx.pRealModeTSS);
4004	Assert(PDMVmmDevHeapIsEnabled(pVM));
4005	u32GuestCR4 &= ~X86_CR4_VME;
4006	}
4007
4008	if (pVM->hm.s.fNestedPaging)
4009	{
4010	if ( !CPUMIsGuestPagingEnabledEx(pMixedCtx)
4011	&& !pVM->hm.s.vmx.fUnrestrictedGuest)
4012	{
4013	/* We use 4 MB pages in our identity mapping page table when the guest doesn't have paging. */
4014	u32GuestCR4 \|= X86_CR4_PSE;
4015	/* Our identity mapping is a 32-bit page directory. */
4016	u32GuestCR4 &= ~X86_CR4_PAE;
4017	}
4018	/* else use guest CR4.*/
4019	}
4020	else
4021	{
4022	/*
4023	* The shadow paging modes and guest paging modes are different, the shadow is in accordance with the host
4024	* paging mode and thus we need to adjust VT-x's view of CR4 depending on our shadow page tables.
4025	*/
4026	switch (pVCpu->hm.s.enmShadowMode)
4027	{
4028	case PGMMODE_REAL: /* Real-mode. */
4029	case PGMMODE_PROTECTED: /* Protected mode without paging. */
4030	case PGMMODE_32_BIT: /* 32-bit paging. */
4031	{
4032	u32GuestCR4 &= ~X86_CR4_PAE;
4033	break;
4034	}
4035
4036	case PGMMODE_PAE: /* PAE paging. */
4037	case PGMMODE_PAE_NX: /* PAE paging with NX. */
4038	{
4039	u32GuestCR4 \|= X86_CR4_PAE;
4040	break;
4041	}
4042
4043	case PGMMODE_AMD64: /* 64-bit AMD paging (long mode). */
4044	case PGMMODE_AMD64_NX: /* 64-bit AMD paging (long mode) with NX enabled. */
4045	#ifdef VBOX_ENABLE_64_BITS_GUESTS
4046	break;
4047	#endif
4048	default:
4049	AssertFailed();
4050	return VERR_PGM_UNSUPPORTED_SHADOW_PAGING_MODE;
4051	}
4052	}
4053
4054	/* We need to set and clear the CR4 specific bits here (mainly the X86_CR4_VMXE bit). */
4055	uint64_t uSetCR4 = (pVM->hm.s.vmx.Msrs.u64Cr4Fixed0 & pVM->hm.s.vmx.Msrs.u64Cr4Fixed1);
4056	uint64_t uZapCR4 = (pVM->hm.s.vmx.Msrs.u64Cr4Fixed0 \| pVM->hm.s.vmx.Msrs.u64Cr4Fixed1);
4057	u32GuestCR4 \|= uSetCR4;
4058	u32GuestCR4 &= uZapCR4;
4059
4060	/* Write VT-x's view of the guest CR4 into the VMCS. */
4061	Log4(("Load[%RU32]: VMX_VMCS_GUEST_CR4=%#RX32 (Set=%#RX32 Zap=%#RX32)\n", pVCpu->idCpu, u32GuestCR4, uSetCR4, uZapCR4));
4062	rc = VMXWriteVmcs32(VMX_VMCS_GUEST_CR4, u32GuestCR4);
4063	AssertRCReturn(rc, rc);
4064
4065	/* Setup CR4 mask. CR4 flags owned by the host, if the guest attempts to change them, that would cause a VM-exit. */
4066	uint32_t u32CR4Mask = X86_CR4_VME
4067	\| X86_CR4_PAE
4068	\| X86_CR4_PGE
4069	\| X86_CR4_PSE
4070	\| X86_CR4_VMXE;
4071	if (pVM->cpum.ro.HostFeatures.fXSaveRstor)
4072	u32CR4Mask \|= X86_CR4_OSXSAVE;
4073	pVCpu->hm.s.vmx.u32CR4Mask = u32CR4Mask;
4074	rc = VMXWriteVmcs32(VMX_VMCS_CTRL_CR4_MASK, u32CR4Mask);
4075	AssertRCReturn(rc, rc);
4076
4077	/* Whether to save/load/restore XCR0 during world switch depends on CR4.OSXSAVE and host+guest XCR0. */
4078	pVCpu->hm.s.fLoadSaveGuestXcr0 = (pMixedCtx->cr4 & X86_CR4_OSXSAVE) && pMixedCtx->aXcr[0] != ASMGetXcr0();
4079
4080	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_CR4);
4081	}
4082	return rc;
4083	}
4084
4085
4086	/**
4087	* Loads the guest debug registers into the guest-state area in the VMCS.
4088	*
4089	* This also sets up whether \#DB and MOV DRx accesses cause VM-exits.
4090	*
4091	* The guest debug bits are partially shared with the host (e.g. DR6, DR0-3).
4092	*
4093	* @returns VBox status code.
4094	* @param pVCpu The cross context virtual CPU structure.
4095	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
4096	* out-of-sync. Make sure to update the required fields
4097	* before using them.
4098	*
4099	* @remarks No-long-jump zone!!!
4100	*/
4101	static int hmR0VmxLoadSharedDebugState(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
4102	{
4103	if (!HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_DEBUG))
4104	return VINF_SUCCESS;
4105
4106	#ifdef VBOX_STRICT
4107	/* Validate. Intel spec. 26.3.1.1 "Checks on Guest Controls Registers, Debug Registers, MSRs" */
4108	if (pVCpu->hm.s.vmx.u32EntryCtls & VMX_VMCS_CTRL_ENTRY_LOAD_DEBUG)
4109	{
4110	/* Validate. Intel spec. 17.2 "Debug Registers", recompiler paranoia checks. */
4111	Assert((pMixedCtx->dr[7] & (X86_DR7_MBZ_MASK \| X86_DR7_RAZ_MASK)) == 0); /* Bits 63:32, 15, 14, 12, 11 are reserved. */
4112	Assert((pMixedCtx->dr[7] & X86_DR7_RA1_MASK) == X86_DR7_RA1_MASK); /* Bit 10 is reserved (RA1). */
4113	}
4114	#endif
4115
4116	int rc;
4117	PVM pVM = pVCpu->CTX_SUFF(pVM);
4118	bool fSteppingDB = false;
4119	bool fInterceptMovDRx = false;
4120	if (pVCpu->hm.s.fSingleInstruction)
4121	{
4122	/* If the CPU supports the monitor trap flag, use it for single stepping in DBGF and avoid intercepting #DB. */
4123	if (pVM->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC_MONITOR_TRAP_FLAG)
4124	{
4125	pVCpu->hm.s.vmx.u32ProcCtls \|= VMX_VMCS_CTRL_PROC_EXEC_MONITOR_TRAP_FLAG;
4126	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls);
4127	AssertRCReturn(rc, rc);
4128	Assert(fSteppingDB == false);
4129	}
4130	else
4131	{
4132	pMixedCtx->eflags.u32 \|= X86_EFL_TF;
4133	pVCpu->hm.s.fClearTrapFlag = true;
4134	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RFLAGS);
4135	fSteppingDB = true;
4136	}
4137	}
4138
4139	if ( fSteppingDB
4140	\|\| (CPUMGetHyperDR7(pVCpu) & X86_DR7_ENABLED_MASK))
4141	{
4142	/*
4143	* Use the combined guest and host DRx values found in the hypervisor
4144	* register set because the debugger has breakpoints active or someone
4145	* is single stepping on the host side without a monitor trap flag.
4146	*
4147	* Note! DBGF expects a clean DR6 state before executing guest code.
4148	*/
4149	#if HC_ARCH_BITS == 32 && defined(VBOX_WITH_64_BITS_GUESTS)
4150	if ( CPUMIsGuestInLongModeEx(pMixedCtx)
4151	&& !CPUMIsHyperDebugStateActivePending(pVCpu))
4152	{
4153	CPUMR0LoadHyperDebugState(pVCpu, true /* include DR6 */);
4154	Assert(CPUMIsHyperDebugStateActivePending(pVCpu));
4155	Assert(!CPUMIsGuestDebugStateActivePending(pVCpu));
4156	}
4157	else
4158	#endif
4159	if (!CPUMIsHyperDebugStateActive(pVCpu))
4160	{
4161	CPUMR0LoadHyperDebugState(pVCpu, true /* include DR6 */);
4162	Assert(CPUMIsHyperDebugStateActive(pVCpu));
4163	Assert(!CPUMIsGuestDebugStateActive(pVCpu));
4164	}
4165
4166	/* Update DR7. (The other DRx values are handled by CPUM one way or the other.) */
4167	rc = VMXWriteVmcs32(VMX_VMCS_GUEST_DR7, (uint32_t)CPUMGetHyperDR7(pVCpu));
4168	AssertRCReturn(rc, rc);
4169
4170	pVCpu->hm.s.fUsingHyperDR7 = true;
4171	fInterceptMovDRx = true;
4172	}
4173	else
4174	{
4175	/*
4176	* If the guest has enabled debug registers, we need to load them prior to
4177	* executing guest code so they'll trigger at the right time.
4178	*/
4179	if (pMixedCtx->dr[7] & (X86_DR7_ENABLED_MASK \| X86_DR7_GD)) /** @todo Why GD? */
4180	{
4181	#if HC_ARCH_BITS == 32 && defined(VBOX_WITH_64_BITS_GUESTS)
4182	if ( CPUMIsGuestInLongModeEx(pMixedCtx)
4183	&& !CPUMIsGuestDebugStateActivePending(pVCpu))
4184	{
4185	CPUMR0LoadGuestDebugState(pVCpu, true /* include DR6 */);
4186	Assert(CPUMIsGuestDebugStateActivePending(pVCpu));
4187	Assert(!CPUMIsHyperDebugStateActivePending(pVCpu));
4188	STAM_COUNTER_INC(&pVCpu->hm.s.StatDRxArmed);
4189	}
4190	else
4191	#endif
4192	if (!CPUMIsGuestDebugStateActive(pVCpu))
4193	{
4194	CPUMR0LoadGuestDebugState(pVCpu, true /* include DR6 */);
4195	Assert(CPUMIsGuestDebugStateActive(pVCpu));
4196	Assert(!CPUMIsHyperDebugStateActive(pVCpu));
4197	STAM_COUNTER_INC(&pVCpu->hm.s.StatDRxArmed);
4198	}
4199	Assert(!fInterceptMovDRx);
4200	}
4201	/*
4202	* If no debugging enabled, we'll lazy load DR0-3. Unlike on AMD-V, we
4203	* must intercept #DB in order to maintain a correct DR6 guest value, and
4204	* because we need to intercept it to prevent nested #DBs from hanging the
4205	* CPU, we end up always having to intercept it. See hmR0VmxInitXcptBitmap.
4206	*/
4207	#if HC_ARCH_BITS == 32 && defined(VBOX_WITH_64_BITS_GUESTS)
4208	else if ( !CPUMIsGuestDebugStateActivePending(pVCpu)
4209	&& !CPUMIsGuestDebugStateActive(pVCpu))
4210	#else
4211	else if (!CPUMIsGuestDebugStateActive(pVCpu))
4212	#endif
4213	{
4214	fInterceptMovDRx = true;
4215	}
4216
4217	/* Update guest DR7. */
4218	rc = VMXWriteVmcs32(VMX_VMCS_GUEST_DR7, pMixedCtx->dr[7]);
4219	AssertRCReturn(rc, rc);
4220
4221	pVCpu->hm.s.fUsingHyperDR7 = false;
4222	}
4223
4224	/*
4225	* Update the processor-based VM-execution controls regarding intercepting MOV DRx instructions.
4226	*/
4227	if (fInterceptMovDRx)
4228	pVCpu->hm.s.vmx.u32ProcCtls \|= VMX_VMCS_CTRL_PROC_EXEC_MOV_DR_EXIT;
4229	else
4230	pVCpu->hm.s.vmx.u32ProcCtls &= ~VMX_VMCS_CTRL_PROC_EXEC_MOV_DR_EXIT;
4231	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls);
4232	AssertRCReturn(rc, rc);
4233
4234	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_DEBUG);
4235	return VINF_SUCCESS;
4236	}
4237
4238
4239	#ifdef VBOX_STRICT
4240	/**
4241	* Strict function to validate segment registers.
4242	*
4243	* @remarks ASSUMES CR0 is up to date.
4244	*/
4245	static void hmR0VmxValidateSegmentRegs(PVM pVM, PVMCPU pVCpu, PCPUMCTX pCtx)
4246	{
4247	/* Validate segment registers. See Intel spec. 26.3.1.2 "Checks on Guest Segment Registers". */
4248	/* NOTE: The reason we check for attribute value 0 and not just the unusable bit here is because hmR0VmxWriteSegmentReg()
4249	* only updates the VMCS' copy of the value with the unusable bit and doesn't change the guest-context value. */
4250	if ( !pVM->hm.s.vmx.fUnrestrictedGuest
4251	&& ( !CPUMIsGuestInRealModeEx(pCtx)
4252	&& !CPUMIsGuestInV86ModeEx(pCtx)))
4253	{
4254	/* Protected mode checks */
4255	/* CS */
4256	Assert(pCtx->cs.Attr.n.u1Present);
4257	Assert(!(pCtx->cs.Attr.u & 0xf00));
4258	Assert(!(pCtx->cs.Attr.u & 0xfffe0000));
4259	Assert( (pCtx->cs.u32Limit & 0xfff) == 0xfff
4260	\|\| !(pCtx->cs.Attr.n.u1Granularity));
4261	Assert( !(pCtx->cs.u32Limit & 0xfff00000)
4262	\|\| (pCtx->cs.Attr.n.u1Granularity));
4263	/* CS cannot be loaded with NULL in protected mode. */
4264	Assert(pCtx->cs.Attr.u && !(pCtx->cs.Attr.u & X86DESCATTR_UNUSABLE)); /** @todo is this really true even for 64-bit CS? */
4265	if (pCtx->cs.Attr.n.u4Type == 9 \|\| pCtx->cs.Attr.n.u4Type == 11)
4266	Assert(pCtx->cs.Attr.n.u2Dpl == pCtx->ss.Attr.n.u2Dpl);
4267	else if (pCtx->cs.Attr.n.u4Type == 13 \|\| pCtx->cs.Attr.n.u4Type == 15)
4268	Assert(pCtx->cs.Attr.n.u2Dpl <= pCtx->ss.Attr.n.u2Dpl);
4269	else
4270	AssertMsgFailed(("Invalid CS Type %#x\n", pCtx->cs.Attr.n.u2Dpl));
4271	/* SS */
4272	Assert((pCtx->ss.Sel & X86_SEL_RPL) == (pCtx->cs.Sel & X86_SEL_RPL));
4273	Assert(pCtx->ss.Attr.n.u2Dpl == (pCtx->ss.Sel & X86_SEL_RPL));
4274	if ( !(pCtx->cr0 & X86_CR0_PE)
4275	\|\| pCtx->cs.Attr.n.u4Type == 3)
4276	{
4277	Assert(!pCtx->ss.Attr.n.u2Dpl);
4278	}
4279	if (pCtx->ss.Attr.u && !(pCtx->ss.Attr.u & X86DESCATTR_UNUSABLE))
4280	{
4281	Assert((pCtx->ss.Sel & X86_SEL_RPL) == (pCtx->cs.Sel & X86_SEL_RPL));
4282	Assert(pCtx->ss.Attr.n.u4Type == 3 \|\| pCtx->ss.Attr.n.u4Type == 7);
4283	Assert(pCtx->ss.Attr.n.u1Present);
4284	Assert(!(pCtx->ss.Attr.u & 0xf00));
4285	Assert(!(pCtx->ss.Attr.u & 0xfffe0000));
4286	Assert( (pCtx->ss.u32Limit & 0xfff) == 0xfff
4287	\|\| !(pCtx->ss.Attr.n.u1Granularity));
4288	Assert( !(pCtx->ss.u32Limit & 0xfff00000)
4289	\|\| (pCtx->ss.Attr.n.u1Granularity));
4290	}
4291	/* DS, ES, FS, GS - only check for usable selectors, see hmR0VmxWriteSegmentReg(). */
4292	if (pCtx->ds.Attr.u && !(pCtx->ds.Attr.u & X86DESCATTR_UNUSABLE))
4293	{
4294	Assert(pCtx->ds.Attr.n.u4Type & X86_SEL_TYPE_ACCESSED);
4295	Assert(pCtx->ds.Attr.n.u1Present);
4296	Assert(pCtx->ds.Attr.n.u4Type > 11 \|\| pCtx->ds.Attr.n.u2Dpl >= (pCtx->ds.Sel & X86_SEL_RPL));
4297	Assert(!(pCtx->ds.Attr.u & 0xf00));
4298	Assert(!(pCtx->ds.Attr.u & 0xfffe0000));
4299	Assert( (pCtx->ds.u32Limit & 0xfff) == 0xfff
4300	\|\| !(pCtx->ds.Attr.n.u1Granularity));
4301	Assert( !(pCtx->ds.u32Limit & 0xfff00000)
4302	\|\| (pCtx->ds.Attr.n.u1Granularity));
4303	Assert( !(pCtx->ds.Attr.n.u4Type & X86_SEL_TYPE_CODE)
4304	\|\| (pCtx->ds.Attr.n.u4Type & X86_SEL_TYPE_READ));
4305	}
4306	if (pCtx->es.Attr.u && !(pCtx->es.Attr.u & X86DESCATTR_UNUSABLE))
4307	{
4308	Assert(pCtx->es.Attr.n.u4Type & X86_SEL_TYPE_ACCESSED);
4309	Assert(pCtx->es.Attr.n.u1Present);
4310	Assert(pCtx->es.Attr.n.u4Type > 11 \|\| pCtx->es.Attr.n.u2Dpl >= (pCtx->es.Sel & X86_SEL_RPL));
4311	Assert(!(pCtx->es.Attr.u & 0xf00));
4312	Assert(!(pCtx->es.Attr.u & 0xfffe0000));
4313	Assert( (pCtx->es.u32Limit & 0xfff) == 0xfff
4314	\|\| !(pCtx->es.Attr.n.u1Granularity));
4315	Assert( !(pCtx->es.u32Limit & 0xfff00000)
4316	\|\| (pCtx->es.Attr.n.u1Granularity));
4317	Assert( !(pCtx->es.Attr.n.u4Type & X86_SEL_TYPE_CODE)
4318	\|\| (pCtx->es.Attr.n.u4Type & X86_SEL_TYPE_READ));
4319	}
4320	if (pCtx->fs.Attr.u && !(pCtx->fs.Attr.u & X86DESCATTR_UNUSABLE))
4321	{
4322	Assert(pCtx->fs.Attr.n.u4Type & X86_SEL_TYPE_ACCESSED);
4323	Assert(pCtx->fs.Attr.n.u1Present);
4324	Assert(pCtx->fs.Attr.n.u4Type > 11 \|\| pCtx->fs.Attr.n.u2Dpl >= (pCtx->fs.Sel & X86_SEL_RPL));
4325	Assert(!(pCtx->fs.Attr.u & 0xf00));
4326	Assert(!(pCtx->fs.Attr.u & 0xfffe0000));
4327	Assert( (pCtx->fs.u32Limit & 0xfff) == 0xfff
4328	\|\| !(pCtx->fs.Attr.n.u1Granularity));
4329	Assert( !(pCtx->fs.u32Limit & 0xfff00000)
4330	\|\| (pCtx->fs.Attr.n.u1Granularity));
4331	Assert( !(pCtx->fs.Attr.n.u4Type & X86_SEL_TYPE_CODE)
4332	\|\| (pCtx->fs.Attr.n.u4Type & X86_SEL_TYPE_READ));
4333	}
4334	if (pCtx->gs.Attr.u && !(pCtx->gs.Attr.u & X86DESCATTR_UNUSABLE))
4335	{
4336	Assert(pCtx->gs.Attr.n.u4Type & X86_SEL_TYPE_ACCESSED);
4337	Assert(pCtx->gs.Attr.n.u1Present);
4338	Assert(pCtx->gs.Attr.n.u4Type > 11 \|\| pCtx->gs.Attr.n.u2Dpl >= (pCtx->gs.Sel & X86_SEL_RPL));
4339	Assert(!(pCtx->gs.Attr.u & 0xf00));
4340	Assert(!(pCtx->gs.Attr.u & 0xfffe0000));
4341	Assert( (pCtx->gs.u32Limit & 0xfff) == 0xfff
4342	\|\| !(pCtx->gs.Attr.n.u1Granularity));
4343	Assert( !(pCtx->gs.u32Limit & 0xfff00000)
4344	\|\| (pCtx->gs.Attr.n.u1Granularity));
4345	Assert( !(pCtx->gs.Attr.n.u4Type & X86_SEL_TYPE_CODE)
4346	\|\| (pCtx->gs.Attr.n.u4Type & X86_SEL_TYPE_READ));
4347	}
4348	/* 64-bit capable CPUs. */
4349	# if HC_ARCH_BITS == 64
4350	Assert(!(pCtx->cs.u64Base >> 32));
4351	Assert(!pCtx->ss.Attr.u \|\| !(pCtx->ss.u64Base >> 32));
4352	Assert(!pCtx->ds.Attr.u \|\| !(pCtx->ds.u64Base >> 32));
4353	Assert(!pCtx->es.Attr.u \|\| !(pCtx->es.u64Base >> 32));
4354	# endif
4355	}
4356	else if ( CPUMIsGuestInV86ModeEx(pCtx)
4357	\|\| ( CPUMIsGuestInRealModeEx(pCtx)
4358	&& !pVM->hm.s.vmx.fUnrestrictedGuest))
4359	{
4360	/* Real and v86 mode checks. */
4361	/* hmR0VmxWriteSegmentReg() writes the modified in VMCS. We want what we're feeding to VT-x. */
4362	uint32_t u32CSAttr, u32SSAttr, u32DSAttr, u32ESAttr, u32FSAttr, u32GSAttr;
4363	if (pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
4364	{
4365	u32CSAttr = 0xf3; u32SSAttr = 0xf3; u32DSAttr = 0xf3; u32ESAttr = 0xf3; u32FSAttr = 0xf3; u32GSAttr = 0xf3;
4366	}
4367	else
4368	{
4369	u32CSAttr = pCtx->cs.Attr.u; u32SSAttr = pCtx->ss.Attr.u; u32DSAttr = pCtx->ds.Attr.u;
4370	u32ESAttr = pCtx->es.Attr.u; u32FSAttr = pCtx->fs.Attr.u; u32GSAttr = pCtx->gs.Attr.u;
4371	}
4372
4373	/* CS */
4374	AssertMsg((pCtx->cs.u64Base == (uint64_t)pCtx->cs.Sel << 4), ("CS base %#x %#x\n", pCtx->cs.u64Base, pCtx->cs.Sel));
4375	Assert(pCtx->cs.u32Limit == 0xffff);
4376	Assert(u32CSAttr == 0xf3);
4377	/* SS */
4378	Assert(pCtx->ss.u64Base == (uint64_t)pCtx->ss.Sel << 4);
4379	Assert(pCtx->ss.u32Limit == 0xffff);
4380	Assert(u32SSAttr == 0xf3);
4381	/* DS */
4382	Assert(pCtx->ds.u64Base == (uint64_t)pCtx->ds.Sel << 4);
4383	Assert(pCtx->ds.u32Limit == 0xffff);
4384	Assert(u32DSAttr == 0xf3);
4385	/* ES */
4386	Assert(pCtx->es.u64Base == (uint64_t)pCtx->es.Sel << 4);
4387	Assert(pCtx->es.u32Limit == 0xffff);
4388	Assert(u32ESAttr == 0xf3);
4389	/* FS */
4390	Assert(pCtx->fs.u64Base == (uint64_t)pCtx->fs.Sel << 4);
4391	Assert(pCtx->fs.u32Limit == 0xffff);
4392	Assert(u32FSAttr == 0xf3);
4393	/* GS */
4394	Assert(pCtx->gs.u64Base == (uint64_t)pCtx->gs.Sel << 4);
4395	Assert(pCtx->gs.u32Limit == 0xffff);
4396	Assert(u32GSAttr == 0xf3);
4397	/* 64-bit capable CPUs. */
4398	# if HC_ARCH_BITS == 64
4399	Assert(!(pCtx->cs.u64Base >> 32));
4400	Assert(!u32SSAttr \|\| !(pCtx->ss.u64Base >> 32));
4401	Assert(!u32DSAttr \|\| !(pCtx->ds.u64Base >> 32));
4402	Assert(!u32ESAttr \|\| !(pCtx->es.u64Base >> 32));
4403	# endif
4404	}
4405	}
4406	#endif /* VBOX_STRICT */
4407
4408
4409	/**
4410	* Writes a guest segment register into the guest-state area in the VMCS.
4411	*
4412	* @returns VBox status code.
4413	* @param pVCpu The cross context virtual CPU structure.
4414	* @param idxSel Index of the selector in the VMCS.
4415	* @param idxLimit Index of the segment limit in the VMCS.
4416	* @param idxBase Index of the segment base in the VMCS.
4417	* @param idxAccess Index of the access rights of the segment in the VMCS.
4418	* @param pSelReg Pointer to the segment selector.
4419	*
4420	* @remarks No-long-jump zone!!!
4421	*/
4422	static int hmR0VmxWriteSegmentReg(PVMCPU pVCpu, uint32_t idxSel, uint32_t idxLimit, uint32_t idxBase,
4423	uint32_t idxAccess, PCPUMSELREG pSelReg)
4424	{
4425	int rc = VMXWriteVmcs32(idxSel, pSelReg->Sel); /* 16-bit guest selector field. */
4426	rc \|= VMXWriteVmcs32(idxLimit, pSelReg->u32Limit); /* 32-bit guest segment limit field. */
4427	rc \|= VMXWriteVmcsGstN(idxBase, pSelReg->u64Base); /* Natural width guest segment base field.*/
4428	AssertRCReturn(rc, rc);
4429
4430	uint32_t u32Access = pSelReg->Attr.u;
4431	if (pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
4432	{
4433	/* VT-x requires our real-using-v86 mode hack to override the segment access-right bits. */
4434	u32Access = 0xf3;
4435	Assert(pVCpu->CTX_SUFF(pVM)->hm.s.vmx.pRealModeTSS);
4436	Assert(PDMVmmDevHeapIsEnabled(pVCpu->CTX_SUFF(pVM)));
4437	}
4438	else
4439	{
4440	/*
4441	* The way to differentiate between whether this is really a null selector or was just a selector loaded with 0 in
4442	* real-mode is using the segment attributes. A selector loaded in real-mode with the value 0 is valid and usable in
4443	* protected-mode and we should -not- mark it as an unusable segment. Both the recompiler & VT-x ensures NULL selectors
4444	* loaded in protected-mode have their attribute as 0.
4445	*/
4446	if (!u32Access)
4447	u32Access = X86DESCATTR_UNUSABLE;
4448	}
4449
4450	/* Validate segment access rights. Refer to Intel spec. "26.3.1.2 Checks on Guest Segment Registers". */
4451	AssertMsg((u32Access & X86DESCATTR_UNUSABLE) \|\| (u32Access & X86_SEL_TYPE_ACCESSED),
4452	("Access bit not set for usable segment. idx=%#x sel=%#x attr %#x\n", idxBase, pSelReg, pSelReg->Attr.u));
4453
4454	rc = VMXWriteVmcs32(idxAccess, u32Access); /* 32-bit guest segment access-rights field. */
4455	AssertRCReturn(rc, rc);
4456	return rc;
4457	}
4458
4459
4460	/**
4461	* Loads the guest segment registers, GDTR, IDTR, LDTR, (TR, FS and GS bases)
4462	* into the guest-state area in the VMCS.
4463	*
4464	* @returns VBox status code.
4465	* @param pVCpu The cross context virtual CPU structure.
4466	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
4467	* out-of-sync. Make sure to update the required fields
4468	* before using them.
4469	*
4470	* @remarks ASSUMES pMixedCtx->cr0 is up to date (strict builds validation).
4471	* @remarks No-long-jump zone!!!
4472	*/
4473	static int hmR0VmxLoadGuestSegmentRegs(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
4474	{
4475	int rc = VERR_INTERNAL_ERROR_5;
4476	PVM pVM = pVCpu->CTX_SUFF(pVM);
4477
4478	/*
4479	* Guest Segment registers: CS, SS, DS, ES, FS, GS.
4480	*/
4481	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_SEGMENT_REGS))
4482	{
4483	/* Save the segment attributes for real-on-v86 mode hack, so we can restore them on VM-exit. */
4484	if (pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
4485	{
4486	pVCpu->hm.s.vmx.RealMode.AttrCS.u = pMixedCtx->cs.Attr.u;
4487	pVCpu->hm.s.vmx.RealMode.AttrSS.u = pMixedCtx->ss.Attr.u;
4488	pVCpu->hm.s.vmx.RealMode.AttrDS.u = pMixedCtx->ds.Attr.u;
4489	pVCpu->hm.s.vmx.RealMode.AttrES.u = pMixedCtx->es.Attr.u;
4490	pVCpu->hm.s.vmx.RealMode.AttrFS.u = pMixedCtx->fs.Attr.u;
4491	pVCpu->hm.s.vmx.RealMode.AttrGS.u = pMixedCtx->gs.Attr.u;
4492	}
4493
4494	#ifdef VBOX_WITH_REM
4495	if (!pVM->hm.s.vmx.fUnrestrictedGuest)
4496	{
4497	Assert(pVM->hm.s.vmx.pRealModeTSS);
4498	AssertCompile(PGMMODE_REAL < PGMMODE_PROTECTED);
4499	if ( pVCpu->hm.s.vmx.fWasInRealMode
4500	&& PGMGetGuestMode(pVCpu) >= PGMMODE_PROTECTED)
4501	{
4502	/* Signal that the recompiler must flush its code-cache as the guest -may- rewrite code it will later execute
4503	in real-mode (e.g. OpenBSD 4.0) */
4504	REMFlushTBs(pVM);
4505	Log4(("Load[%RU32]: Switch to protected mode detected!\n", pVCpu->idCpu));
4506	pVCpu->hm.s.vmx.fWasInRealMode = false;
4507	}
4508	}
4509	#endif
4510	rc = hmR0VmxWriteSegmentReg(pVCpu, VMX_VMCS16_GUEST_CS_SEL, VMX_VMCS32_GUEST_CS_LIMIT, VMX_VMCS_GUEST_CS_BASE,
4511	VMX_VMCS32_GUEST_CS_ACCESS_RIGHTS, &pMixedCtx->cs);
4512	AssertRCReturn(rc, rc);
4513	rc = hmR0VmxWriteSegmentReg(pVCpu, VMX_VMCS16_GUEST_SS_SEL, VMX_VMCS32_GUEST_SS_LIMIT, VMX_VMCS_GUEST_SS_BASE,
4514	VMX_VMCS32_GUEST_SS_ACCESS_RIGHTS, &pMixedCtx->ss);
4515	AssertRCReturn(rc, rc);
4516	rc = hmR0VmxWriteSegmentReg(pVCpu, VMX_VMCS16_GUEST_DS_SEL, VMX_VMCS32_GUEST_DS_LIMIT, VMX_VMCS_GUEST_DS_BASE,
4517	VMX_VMCS32_GUEST_DS_ACCESS_RIGHTS, &pMixedCtx->ds);
4518	AssertRCReturn(rc, rc);
4519	rc = hmR0VmxWriteSegmentReg(pVCpu, VMX_VMCS16_GUEST_ES_SEL, VMX_VMCS32_GUEST_ES_LIMIT, VMX_VMCS_GUEST_ES_BASE,
4520	VMX_VMCS32_GUEST_ES_ACCESS_RIGHTS, &pMixedCtx->es);
4521	AssertRCReturn(rc, rc);
4522	rc = hmR0VmxWriteSegmentReg(pVCpu, VMX_VMCS16_GUEST_FS_SEL, VMX_VMCS32_GUEST_FS_LIMIT, VMX_VMCS_GUEST_FS_BASE,
4523	VMX_VMCS32_GUEST_FS_ACCESS_RIGHTS, &pMixedCtx->fs);
4524	AssertRCReturn(rc, rc);
4525	rc = hmR0VmxWriteSegmentReg(pVCpu, VMX_VMCS16_GUEST_GS_SEL, VMX_VMCS32_GUEST_GS_LIMIT, VMX_VMCS_GUEST_GS_BASE,
4526	VMX_VMCS32_GUEST_GS_ACCESS_RIGHTS, &pMixedCtx->gs);
4527	AssertRCReturn(rc, rc);
4528
4529	#ifdef VBOX_STRICT
4530	/* Validate. */
4531	hmR0VmxValidateSegmentRegs(pVM, pVCpu, pMixedCtx);
4532	#endif
4533
4534	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_SEGMENT_REGS);
4535	Log4(("Load[%RU32]: CS=%#RX16 Base=%#RX64 Limit=%#RX32 Attr=%#RX32\n", pVCpu->idCpu, pMixedCtx->cs.Sel,
4536	pMixedCtx->cs.u64Base, pMixedCtx->cs.u32Limit, pMixedCtx->cs.Attr.u));
4537	}
4538
4539	/*
4540	* Guest TR.
4541	*/
4542	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_TR))
4543	{
4544	/*
4545	* Real-mode emulation using virtual-8086 mode with CR4.VME. Interrupt redirection is achieved
4546	* using the interrupt redirection bitmap (all bits cleared to let the guest handle INT-n's) in the TSS.
4547	* See hmR3InitFinalizeR0() to see how pRealModeTSS is setup.
4548	*/
4549	uint16_t u16Sel = 0;
4550	uint32_t u32Limit = 0;
4551	uint64_t u64Base = 0;
4552	uint32_t u32AccessRights = 0;
4553
4554	if (!pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
4555	{
4556	u16Sel = pMixedCtx->tr.Sel;
4557	u32Limit = pMixedCtx->tr.u32Limit;
4558	u64Base = pMixedCtx->tr.u64Base;
4559	u32AccessRights = pMixedCtx->tr.Attr.u;
4560	}
4561	else
4562	{
4563	Assert(pVM->hm.s.vmx.pRealModeTSS);
4564	Assert(PDMVmmDevHeapIsEnabled(pVM)); /* Guaranteed by HMR3CanExecuteGuest() -XXX- what about inner loop changes? */
4565
4566	/* We obtain it here every time as PCI regions could be reconfigured in the guest, changing the VMMDev base. */
4567	RTGCPHYS GCPhys;
4568	rc = PDMVmmDevHeapR3ToGCPhys(pVM, pVM->hm.s.vmx.pRealModeTSS, &GCPhys);
4569	AssertRCReturn(rc, rc);
4570
4571	X86DESCATTR DescAttr;
4572	DescAttr.u = 0;
4573	DescAttr.n.u1Present = 1;
4574	DescAttr.n.u4Type = X86_SEL_TYPE_SYS_386_TSS_BUSY;
4575
4576	u16Sel = 0;
4577	u32Limit = HM_VTX_TSS_SIZE;
4578	u64Base = GCPhys; /* in real-mode phys = virt. */
4579	u32AccessRights = DescAttr.u;
4580	}
4581
4582	/* Validate. */
4583	Assert(!(u16Sel & RT_BIT(2)));
4584	AssertMsg( (u32AccessRights & 0xf) == X86_SEL_TYPE_SYS_386_TSS_BUSY
4585	\|\| (u32AccessRights & 0xf) == X86_SEL_TYPE_SYS_286_TSS_BUSY, ("TSS is not busy!? %#x\n", u32AccessRights));
4586	AssertMsg(!(u32AccessRights & X86DESCATTR_UNUSABLE), ("TR unusable bit is not clear!? %#x\n", u32AccessRights));
4587	Assert(!(u32AccessRights & RT_BIT(4))); /* System MBZ.*/
4588	Assert(u32AccessRights & RT_BIT(7)); /* Present MB1.*/
4589	Assert(!(u32AccessRights & 0xf00)); /* 11:8 MBZ. */
4590	Assert(!(u32AccessRights & 0xfffe0000)); /* 31:17 MBZ. */
4591	Assert( (u32Limit & 0xfff) == 0xfff
4592	\|\| !(u32AccessRights & RT_BIT(15))); /* Granularity MBZ. */
4593	Assert( !(pMixedCtx->tr.u32Limit & 0xfff00000)
4594	\|\| (u32AccessRights & RT_BIT(15))); /* Granularity MB1. */
4595
4596	rc = VMXWriteVmcs32(VMX_VMCS16_GUEST_TR_SEL, u16Sel);
4597	rc \|= VMXWriteVmcs32(VMX_VMCS32_GUEST_TR_LIMIT, u32Limit);
4598	rc \|= VMXWriteVmcsGstN(VMX_VMCS_GUEST_TR_BASE, u64Base);
4599	rc \|= VMXWriteVmcs32(VMX_VMCS32_GUEST_TR_ACCESS_RIGHTS, u32AccessRights);
4600	AssertRCReturn(rc, rc);
4601
4602	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_TR);
4603	Log4(("Load[%RU32]: VMX_VMCS_GUEST_TR_BASE=%#RX64\n", pVCpu->idCpu, u64Base));
4604	}
4605
4606	/*
4607	* Guest GDTR.
4608	*/
4609	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_GDTR))
4610	{
4611	rc = VMXWriteVmcs32(VMX_VMCS32_GUEST_GDTR_LIMIT, pMixedCtx->gdtr.cbGdt);
4612	rc \|= VMXWriteVmcsGstN(VMX_VMCS_GUEST_GDTR_BASE, pMixedCtx->gdtr.pGdt);
4613	AssertRCReturn(rc, rc);
4614
4615	/* Validate. */
4616	Assert(!(pMixedCtx->gdtr.cbGdt & 0xffff0000)); /* Bits 31:16 MBZ. */
4617
4618	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_GDTR);
4619	Log4(("Load[%RU32]: VMX_VMCS_GUEST_GDTR_BASE=%#RX64\n", pVCpu->idCpu, pMixedCtx->gdtr.pGdt));
4620	}
4621
4622	/*
4623	* Guest LDTR.
4624	*/
4625	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_LDTR))
4626	{
4627	/* The unusable bit is specific to VT-x, if it's a null selector mark it as an unusable segment. */
4628	uint32_t u32Access = 0;
4629	if (!pMixedCtx->ldtr.Attr.u)
4630	u32Access = X86DESCATTR_UNUSABLE;
4631	else
4632	u32Access = pMixedCtx->ldtr.Attr.u;
4633
4634	rc = VMXWriteVmcs32(VMX_VMCS16_GUEST_LDTR_SEL, pMixedCtx->ldtr.Sel);
4635	rc \|= VMXWriteVmcs32(VMX_VMCS32_GUEST_LDTR_LIMIT, pMixedCtx->ldtr.u32Limit);
4636	rc \|= VMXWriteVmcsGstN(VMX_VMCS_GUEST_LDTR_BASE, pMixedCtx->ldtr.u64Base);
4637	rc \|= VMXWriteVmcs32(VMX_VMCS32_GUEST_LDTR_ACCESS_RIGHTS, u32Access);
4638	AssertRCReturn(rc, rc);
4639
4640	/* Validate. */
4641	if (!(u32Access & X86DESCATTR_UNUSABLE))
4642	{
4643	Assert(!(pMixedCtx->ldtr.Sel & RT_BIT(2))); /* TI MBZ. */
4644	Assert(pMixedCtx->ldtr.Attr.n.u4Type == 2); /* Type MB2 (LDT). */
4645	Assert(!pMixedCtx->ldtr.Attr.n.u1DescType); /* System MBZ. */
4646	Assert(pMixedCtx->ldtr.Attr.n.u1Present == 1); /* Present MB1. */
4647	Assert(!pMixedCtx->ldtr.Attr.n.u4LimitHigh); /* 11:8 MBZ. */
4648	Assert(!(pMixedCtx->ldtr.Attr.u & 0xfffe0000)); /* 31:17 MBZ. */
4649	Assert( (pMixedCtx->ldtr.u32Limit & 0xfff) == 0xfff
4650	\|\| !pMixedCtx->ldtr.Attr.n.u1Granularity); /* Granularity MBZ. */
4651	Assert( !(pMixedCtx->ldtr.u32Limit & 0xfff00000)
4652	\|\| pMixedCtx->ldtr.Attr.n.u1Granularity); /* Granularity MB1. */
4653	}
4654
4655	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_LDTR);
4656	Log4(("Load[%RU32]: VMX_VMCS_GUEST_LDTR_BASE=%#RX64\n", pVCpu->idCpu, pMixedCtx->ldtr.u64Base));
4657	}
4658
4659	/*
4660	* Guest IDTR.
4661	*/
4662	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_IDTR))
4663	{
4664	rc = VMXWriteVmcs32(VMX_VMCS32_GUEST_IDTR_LIMIT, pMixedCtx->idtr.cbIdt);
4665	rc \|= VMXWriteVmcsGstN(VMX_VMCS_GUEST_IDTR_BASE, pMixedCtx->idtr.pIdt);
4666	AssertRCReturn(rc, rc);
4667
4668	/* Validate. */
4669	Assert(!(pMixedCtx->idtr.cbIdt & 0xffff0000)); /* Bits 31:16 MBZ. */
4670
4671	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_IDTR);
4672	Log4(("Load[%RU32]: VMX_VMCS_GUEST_IDTR_BASE=%#RX64\n", pVCpu->idCpu, pMixedCtx->idtr.pIdt));
4673	}
4674
4675	return VINF_SUCCESS;
4676	}
4677
4678
4679	/**
4680	* Loads certain guest MSRs into the VM-entry MSR-load and VM-exit MSR-store
4681	* areas.
4682	*
4683	* These MSRs will automatically be loaded to the host CPU on every successful
4684	* VM-entry and stored from the host CPU on every successful VM-exit. This also
4685	* creates/updates MSR slots for the host MSRs. The actual host MSR values are
4686	* -not- updated here for performance reasons. See hmR0VmxSaveHostMsrs().
4687	*
4688	* Also loads the sysenter MSRs into the guest-state area in the VMCS.
4689	*
4690	* @returns VBox status code.
4691	* @param pVCpu The cross context virtual CPU structure.
4692	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
4693	* out-of-sync. Make sure to update the required fields
4694	* before using them.
4695	*
4696	* @remarks No-long-jump zone!!!
4697	*/
4698	static int hmR0VmxLoadGuestMsrs(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
4699	{
4700	AssertPtr(pVCpu);
4701	AssertPtr(pVCpu->hm.s.vmx.pvGuestMsr);
4702
4703	/*
4704	* MSRs that we use the auto-load/store MSR area in the VMCS.
4705	*/
4706	PVM pVM = pVCpu->CTX_SUFF(pVM);
4707	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_VMX_GUEST_AUTO_MSRS))
4708	{
4709	/* For 64-bit hosts, we load/restore them lazily, see hmR0VmxLazyLoadGuestMsrs(). */
4710	#if HC_ARCH_BITS == 32
4711	if (pVM->hm.s.fAllow64BitGuests)
4712	{
4713	int rc = hmR0VmxAddAutoLoadStoreMsr(pVCpu, MSR_K8_LSTAR, pMixedCtx->msrLSTAR, false, NULL);
4714	rc \|= hmR0VmxAddAutoLoadStoreMsr(pVCpu, MSR_K6_STAR, pMixedCtx->msrSTAR, false, NULL);
4715	rc \|= hmR0VmxAddAutoLoadStoreMsr(pVCpu, MSR_K8_SF_MASK, pMixedCtx->msrSFMASK, false, NULL);
4716	rc \|= hmR0VmxAddAutoLoadStoreMsr(pVCpu, MSR_K8_KERNEL_GS_BASE, pMixedCtx->msrKERNELGSBASE, false, NULL);
4717	AssertRCReturn(rc, rc);
4718	# ifdef LOG_ENABLED
4719	PVMXAUTOMSR pMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvGuestMsr;
4720	for (uint32_t i = 0; i < pVCpu->hm.s.vmx.cMsrs; i++, pMsr++)
4721	{
4722	Log4(("Load[%RU32]: MSR[%RU32]: u32Msr=%#RX32 u64Value=%#RX64\n", pVCpu->idCpu, i, pMsr->u32Msr,
4723	pMsr->u64Value));
4724	}
4725	# endif
4726	}
4727	#endif
4728	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_VMX_GUEST_AUTO_MSRS);
4729	}
4730
4731	/*
4732	* Guest Sysenter MSRs.
4733	* These flags are only set when MSR-bitmaps are not supported by the CPU and we cause
4734	* VM-exits on WRMSRs for these MSRs.
4735	*/
4736	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_SYSENTER_CS_MSR))
4737	{
4738	int rc = VMXWriteVmcs32(VMX_VMCS32_GUEST_SYSENTER_CS, pMixedCtx->SysEnter.cs); AssertRCReturn(rc, rc);
4739	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_SYSENTER_CS_MSR);
4740	}
4741
4742	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_SYSENTER_EIP_MSR))
4743	{
4744	int rc = VMXWriteVmcsGstN(VMX_VMCS_GUEST_SYSENTER_EIP, pMixedCtx->SysEnter.eip); AssertRCReturn(rc, rc);
4745	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_SYSENTER_EIP_MSR);
4746	}
4747
4748	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_SYSENTER_ESP_MSR))
4749	{
4750	int rc = VMXWriteVmcsGstN(VMX_VMCS_GUEST_SYSENTER_ESP, pMixedCtx->SysEnter.esp); AssertRCReturn(rc, rc);
4751	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_SYSENTER_ESP_MSR);
4752	}
4753
4754	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_EFER_MSR))
4755	{
4756	if (hmR0VmxShouldSwapEferMsr(pVCpu, pMixedCtx))
4757	{
4758	/*
4759	* If the CPU supports VMCS controls for swapping EFER, use it. Otherwise, we have no option
4760	* but to use the auto-load store MSR area in the VMCS for swapping EFER. See @bugref{7368}.
4761	*/
4762	if (pVM->hm.s.vmx.fSupportsVmcsEfer)
4763	{
4764	int rc = VMXWriteVmcs64(VMX_VMCS64_GUEST_EFER_FULL, pMixedCtx->msrEFER);
4765	AssertRCReturn(rc,rc);
4766	Log4(("Load[%RU32]: VMX_VMCS64_GUEST_EFER_FULL=%#RX64\n", pVCpu->idCpu, pMixedCtx->msrEFER));
4767	}
4768	else
4769	{
4770	int rc = hmR0VmxAddAutoLoadStoreMsr(pVCpu, MSR_K6_EFER, pMixedCtx->msrEFER, false /* fUpdateHostMsr */,
4771	NULL /* pfAddedAndUpdated */);
4772	AssertRCReturn(rc, rc);
4773
4774	/* We need to intercept reads too, see @bugref{7386#c16}. */
4775	if (pVM->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS)
4776	hmR0VmxSetMsrPermission(pVCpu, MSR_K6_EFER, VMXMSREXIT_INTERCEPT_READ, VMXMSREXIT_INTERCEPT_WRITE);
4777	Log4(("Load[%RU32]: MSR[--]: u32Msr=%#RX32 u64Value=%#RX64 cMsrs=%u\n", pVCpu->idCpu, MSR_K6_EFER,
4778	pMixedCtx->msrEFER, pVCpu->hm.s.vmx.cMsrs));
4779	}
4780	}
4781	else if (!pVM->hm.s.vmx.fSupportsVmcsEfer)
4782	hmR0VmxRemoveAutoLoadStoreMsr(pVCpu, MSR_K6_EFER);
4783	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_EFER_MSR);
4784	}
4785
4786	return VINF_SUCCESS;
4787	}
4788
4789
4790	/**
4791	* Loads the guest activity state into the guest-state area in the VMCS.
4792	*
4793	* @returns VBox status code.
4794	* @param pVCpu The cross context virtual CPU structure.
4795	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
4796	* out-of-sync. Make sure to update the required fields
4797	* before using them.
4798	*
4799	* @remarks No-long-jump zone!!!
4800	*/
4801	static int hmR0VmxLoadGuestActivityState(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
4802	{
4803	NOREF(pMixedCtx);
4804	/** @todo See if we can make use of other states, e.g.
4805	* VMX_VMCS_GUEST_ACTIVITY_SHUTDOWN or HLT. */
4806	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_VMX_GUEST_ACTIVITY_STATE))
4807	{
4808	int rc = VMXWriteVmcs32(VMX_VMCS32_GUEST_ACTIVITY_STATE, VMX_VMCS_GUEST_ACTIVITY_ACTIVE);
4809	AssertRCReturn(rc, rc);
4810
4811	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_VMX_GUEST_ACTIVITY_STATE);
4812	}
4813	return VINF_SUCCESS;
4814	}
4815
4816
4817	/**
4818	* Sets up the appropriate function to run guest code.
4819	*
4820	* @returns VBox status code.
4821	* @param pVCpu The cross context virtual CPU structure.
4822	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
4823	* out-of-sync. Make sure to update the required fields
4824	* before using them.
4825	*
4826	* @remarks No-long-jump zone!!!
4827	*/
4828	static int hmR0VmxSetupVMRunHandler(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
4829	{
4830	if (CPUMIsGuestInLongModeEx(pMixedCtx))
4831	{
4832	#ifndef VBOX_ENABLE_64_BITS_GUESTS
4833	return VERR_PGM_UNSUPPORTED_SHADOW_PAGING_MODE;
4834	#endif
4835	Assert(pVCpu->CTX_SUFF(pVM)->hm.s.fAllow64BitGuests); /* Guaranteed by hmR3InitFinalizeR0(). */
4836	#if HC_ARCH_BITS == 32
4837	/* 32-bit host. We need to switch to 64-bit before running the 64-bit guest. */
4838	if (pVCpu->hm.s.vmx.pfnStartVM != VMXR0SwitcherStartVM64)
4839	{
4840	if (pVCpu->hm.s.vmx.pfnStartVM != NULL) /* Very first entry would have saved host-state already, ignore it. */
4841	{
4842	/* Currently, all mode changes sends us back to ring-3, so these should be set. See @bugref{6944}. */
4843	AssertMsg(HMCPU_CF_IS_SET(pVCpu, HM_CHANGED_VMX_EXIT_CTLS
4844	\| HM_CHANGED_VMX_ENTRY_CTLS
4845	\| HM_CHANGED_GUEST_EFER_MSR), ("flags=%#x\n", HMCPU_CF_VALUE(pVCpu)));
4846	}
4847	pVCpu->hm.s.vmx.pfnStartVM = VMXR0SwitcherStartVM64;
4848	}
4849	#else
4850	/* 64-bit host. */
4851	pVCpu->hm.s.vmx.pfnStartVM = VMXR0StartVM64;
4852	#endif
4853	}
4854	else
4855	{
4856	/* Guest is not in long mode, use the 32-bit handler. */
4857	#if HC_ARCH_BITS == 32
4858	if ( pVCpu->hm.s.vmx.pfnStartVM != VMXR0StartVM32
4859	&& pVCpu->hm.s.vmx.pfnStartVM != NULL) /* Very first entry would have saved host-state already, ignore it. */
4860	{
4861	/* Currently, all mode changes sends us back to ring-3, so these should be set. See @bugref{6944}. */
4862	AssertMsg(HMCPU_CF_IS_SET(pVCpu, HM_CHANGED_VMX_EXIT_CTLS
4863	\| HM_CHANGED_VMX_ENTRY_CTLS
4864	\| HM_CHANGED_GUEST_EFER_MSR), ("flags=%#x\n", HMCPU_CF_VALUE(pVCpu)));
4865	}
4866	#endif
4867	pVCpu->hm.s.vmx.pfnStartVM = VMXR0StartVM32;
4868	}
4869	Assert(pVCpu->hm.s.vmx.pfnStartVM);
4870	return VINF_SUCCESS;
4871	}
4872
4873
4874	/**
4875	* Wrapper for running the guest code in VT-x.
4876	*
4877	* @returns VBox status code, no informational status codes.
4878	* @param pVM The cross context VM structure.
4879	* @param pVCpu The cross context virtual CPU structure.
4880	* @param pCtx Pointer to the guest-CPU context.
4881	*
4882	* @remarks No-long-jump zone!!!
4883	*/
4884	DECLINLINE(int) hmR0VmxRunGuest(PVM pVM, PVMCPU pVCpu, PCPUMCTX pCtx)
4885	{
4886	/*
4887	* 64-bit Windows uses XMM registers in the kernel as the Microsoft compiler expresses floating-point operations
4888	* using SSE instructions. Some XMM registers (XMM6-XMM15) are callee-saved and thus the need for this XMM wrapper.
4889	* Refer MSDN docs. "Configuring Programs for 64-bit / x64 Software Conventions / Register Usage" for details.
4890	*/
4891	bool const fResumeVM = RT_BOOL(pVCpu->hm.s.vmx.uVmcsState & HMVMX_VMCS_STATE_LAUNCHED);
4892	/** @todo Add stats for resume vs launch. */
4893	#ifdef VBOX_WITH_KERNEL_USING_XMM
4894	int rc = HMR0VMXStartVMWrapXMM(fResumeVM, pCtx, &pVCpu->hm.s.vmx.VMCSCache, pVM, pVCpu, pVCpu->hm.s.vmx.pfnStartVM);
4895	#else
4896	int rc = pVCpu->hm.s.vmx.pfnStartVM(fResumeVM, pCtx, &pVCpu->hm.s.vmx.VMCSCache, pVM, pVCpu);
4897	#endif
4898	AssertMsg(rc <= VINF_SUCCESS, ("%Rrc\n", rc));
4899	return rc;
4900	}
4901
4902
4903	/**
4904	* Reports world-switch error and dumps some useful debug info.
4905	*
4906	* @param pVM The cross context VM structure.
4907	* @param pVCpu The cross context virtual CPU structure.
4908	* @param rcVMRun The return code from VMLAUNCH/VMRESUME.
4909	* @param pCtx Pointer to the guest-CPU context.
4910	* @param pVmxTransient Pointer to the VMX transient structure (only
4911	* exitReason updated).
4912	*/
4913	static void hmR0VmxReportWorldSwitchError(PVM pVM, PVMCPU pVCpu, int rcVMRun, PCPUMCTX pCtx, PVMXTRANSIENT pVmxTransient)
4914	{
4915	Assert(pVM);
4916	Assert(pVCpu);
4917	Assert(pCtx);
4918	Assert(pVmxTransient);
4919	HMVMX_ASSERT_PREEMPT_SAFE();
4920
4921	Log4(("VM-entry failure: %Rrc\n", rcVMRun));
4922	switch (rcVMRun)
4923	{
4924	case VERR_VMX_INVALID_VMXON_PTR:
4925	AssertFailed();
4926	break;
4927	case VINF_SUCCESS: /* VMLAUNCH/VMRESUME succeeded but VM-entry failed... yeah, true story. */
4928	case VERR_VMX_UNABLE_TO_START_VM: /* VMLAUNCH/VMRESUME itself failed. */
4929	{
4930	int rc = VMXReadVmcs32(VMX_VMCS32_RO_EXIT_REASON, &pVCpu->hm.s.vmx.LastError.u32ExitReason);
4931	rc \|= VMXReadVmcs32(VMX_VMCS32_RO_VM_INSTR_ERROR, &pVCpu->hm.s.vmx.LastError.u32InstrError);
4932	rc \|= hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
4933	AssertRC(rc);
4934
4935	pVCpu->hm.s.vmx.LastError.idEnteredCpu = pVCpu->hm.s.idEnteredCpu;
4936	/* LastError.idCurrentCpu was already updated in hmR0VmxPreRunGuestCommitted().
4937	Cannot do it here as we may have been long preempted. */
4938
4939	#ifdef VBOX_STRICT
4940	Log4(("uExitReason %#RX32 (VmxTransient %#RX16)\n", pVCpu->hm.s.vmx.LastError.u32ExitReason,
4941	pVmxTransient->uExitReason));
4942	Log4(("Exit Qualification %#RX64\n", pVmxTransient->uExitQualification));
4943	Log4(("InstrError %#RX32\n", pVCpu->hm.s.vmx.LastError.u32InstrError));
4944	if (pVCpu->hm.s.vmx.LastError.u32InstrError <= HMVMX_INSTR_ERROR_MAX)
4945	Log4(("InstrError Desc. \"%s\"\n", g_apszVmxInstrErrors[pVCpu->hm.s.vmx.LastError.u32InstrError]));
4946	else
4947	Log4(("InstrError Desc. Range exceeded %u\n", HMVMX_INSTR_ERROR_MAX));
4948	Log4(("Entered host CPU %u\n", pVCpu->hm.s.vmx.LastError.idEnteredCpu));
4949	Log4(("Current host CPU %u\n", pVCpu->hm.s.vmx.LastError.idCurrentCpu));
4950
4951	/* VMX control bits. */
4952	uint32_t u32Val;
4953	uint64_t u64Val;
4954	RTHCUINTREG uHCReg;
4955	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_PIN_EXEC, &u32Val); AssertRC(rc);
4956	Log4(("VMX_VMCS32_CTRL_PIN_EXEC %#RX32\n", u32Val));
4957	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, &u32Val); AssertRC(rc);
4958	Log4(("VMX_VMCS32_CTRL_PROC_EXEC %#RX32\n", u32Val));
4959	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_PROC_EXEC2, &u32Val); AssertRC(rc);
4960	Log4(("VMX_VMCS32_CTRL_PROC_EXEC2 %#RX32\n", u32Val));
4961	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_ENTRY, &u32Val); AssertRC(rc);
4962	Log4(("VMX_VMCS32_CTRL_ENTRY %#RX32\n", u32Val));
4963	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_EXIT, &u32Val); AssertRC(rc);
4964	Log4(("VMX_VMCS32_CTRL_EXIT %#RX32\n", u32Val));
4965	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_CR3_TARGET_COUNT, &u32Val); AssertRC(rc);
4966	Log4(("VMX_VMCS32_CTRL_CR3_TARGET_COUNT %#RX32\n", u32Val));
4967	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_ENTRY_INTERRUPTION_INFO, &u32Val); AssertRC(rc);
4968	Log4(("VMX_VMCS32_CTRL_ENTRY_INTERRUPTION_INFO %#RX32\n", u32Val));
4969	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_ENTRY_EXCEPTION_ERRCODE, &u32Val); AssertRC(rc);
4970	Log4(("VMX_VMCS32_CTRL_ENTRY_EXCEPTION_ERRCODE %#RX32\n", u32Val));
4971	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_ENTRY_INSTR_LENGTH, &u32Val); AssertRC(rc);
4972	Log4(("VMX_VMCS32_CTRL_ENTRY_INSTR_LENGTH %u\n", u32Val));
4973	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_TPR_THRESHOLD, &u32Val); AssertRC(rc);
4974	Log4(("VMX_VMCS32_CTRL_TPR_THRESHOLD %u\n", u32Val));
4975	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_EXIT_MSR_STORE_COUNT, &u32Val); AssertRC(rc);
4976	Log4(("VMX_VMCS32_CTRL_EXIT_MSR_STORE_COUNT %u (guest MSRs)\n", u32Val));
4977	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_EXIT_MSR_LOAD_COUNT, &u32Val); AssertRC(rc);
4978	Log4(("VMX_VMCS32_CTRL_EXIT_MSR_LOAD_COUNT %u (host MSRs)\n", u32Val));
4979	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_ENTRY_MSR_LOAD_COUNT, &u32Val); AssertRC(rc);
4980	Log4(("VMX_VMCS32_CTRL_ENTRY_MSR_LOAD_COUNT %u (guest MSRs)\n", u32Val));
4981	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_EXCEPTION_BITMAP, &u32Val); AssertRC(rc);
4982	Log4(("VMX_VMCS32_CTRL_EXCEPTION_BITMAP %#RX32\n", u32Val));
4983	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_PAGEFAULT_ERROR_MASK, &u32Val); AssertRC(rc);
4984	Log4(("VMX_VMCS32_CTRL_PAGEFAULT_ERROR_MASK %#RX32\n", u32Val));
4985	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_PAGEFAULT_ERROR_MATCH, &u32Val); AssertRC(rc);
4986	Log4(("VMX_VMCS32_CTRL_PAGEFAULT_ERROR_MATCH %#RX32\n", u32Val));
4987	rc = VMXReadVmcsHstN(VMX_VMCS_CTRL_CR0_MASK, &uHCReg); AssertRC(rc);
4988	Log4(("VMX_VMCS_CTRL_CR0_MASK %#RHr\n", uHCReg));
4989	rc = VMXReadVmcsHstN(VMX_VMCS_CTRL_CR0_READ_SHADOW, &uHCReg); AssertRC(rc);
4990	Log4(("VMX_VMCS_CTRL_CR4_READ_SHADOW %#RHr\n", uHCReg));
4991	rc = VMXReadVmcsHstN(VMX_VMCS_CTRL_CR4_MASK, &uHCReg); AssertRC(rc);
4992	Log4(("VMX_VMCS_CTRL_CR4_MASK %#RHr\n", uHCReg));
4993	rc = VMXReadVmcsHstN(VMX_VMCS_CTRL_CR4_READ_SHADOW, &uHCReg); AssertRC(rc);
4994	Log4(("VMX_VMCS_CTRL_CR4_READ_SHADOW %#RHr\n", uHCReg));
4995	rc = VMXReadVmcs64(VMX_VMCS64_CTRL_EPTP_FULL, &u64Val); AssertRC(rc);
4996	Log4(("VMX_VMCS64_CTRL_EPTP_FULL %#RX64\n", u64Val));
4997
4998	/* Guest bits. */
4999	rc = VMXReadVmcsGstN(VMX_VMCS_GUEST_RIP, &u64Val); AssertRC(rc);
5000	Log4(("Old Guest Rip %#RX64 New %#RX64\n", pCtx->rip, u64Val));
5001	rc = VMXReadVmcsGstN(VMX_VMCS_GUEST_RSP, &u64Val); AssertRC(rc);
5002	Log4(("Old Guest Rsp %#RX64 New %#RX64\n", pCtx->rsp, u64Val));
5003	rc = VMXReadVmcs32(VMX_VMCS_GUEST_RFLAGS, &u32Val); AssertRC(rc);
5004	Log4(("Old Guest Rflags %#RX32 New %#RX32\n", pCtx->eflags.u32, u32Val));
5005	rc = VMXReadVmcs32(VMX_VMCS16_VPID, &u32Val); AssertRC(rc);
5006	Log4(("VMX_VMCS16_VPID %u\n", u32Val));
5007
5008	/* Host bits. */
5009	rc = VMXReadVmcsHstN(VMX_VMCS_HOST_CR0, &uHCReg); AssertRC(rc);
5010	Log4(("Host CR0 %#RHr\n", uHCReg));
5011	rc = VMXReadVmcsHstN(VMX_VMCS_HOST_CR3, &uHCReg); AssertRC(rc);
5012	Log4(("Host CR3 %#RHr\n", uHCReg));
5013	rc = VMXReadVmcsHstN(VMX_VMCS_HOST_CR4, &uHCReg); AssertRC(rc);
5014	Log4(("Host CR4 %#RHr\n", uHCReg));
5015
5016	RTGDTR HostGdtr;
5017	PCX86DESCHC pDesc;
5018	ASMGetGDTR(&HostGdtr);
5019	rc = VMXReadVmcs32(VMX_VMCS16_HOST_CS_SEL, &u32Val); AssertRC(rc);
5020	Log4(("Host CS %#08x\n", u32Val));
5021	if (u32Val < HostGdtr.cbGdt)
5022	{
5023	pDesc = (PCX86DESCHC)(HostGdtr.pGdt + (u32Val & X86_SEL_MASK));
5024	HMR0DumpDescriptor(pDesc, u32Val, "CS: ");
5025	}
5026
5027	rc = VMXReadVmcs32(VMX_VMCS16_HOST_DS_SEL, &u32Val); AssertRC(rc);
5028	Log4(("Host DS %#08x\n", u32Val));
5029	if (u32Val < HostGdtr.cbGdt)
5030	{
5031	pDesc = (PCX86DESCHC)(HostGdtr.pGdt + (u32Val & X86_SEL_MASK));
5032	HMR0DumpDescriptor(pDesc, u32Val, "DS: ");
5033	}
5034
5035	rc = VMXReadVmcs32(VMX_VMCS16_HOST_ES_SEL, &u32Val); AssertRC(rc);
5036	Log4(("Host ES %#08x\n", u32Val));
5037	if (u32Val < HostGdtr.cbGdt)
5038	{
5039	pDesc = (PCX86DESCHC)(HostGdtr.pGdt + (u32Val & X86_SEL_MASK));
5040	HMR0DumpDescriptor(pDesc, u32Val, "ES: ");
5041	}
5042
5043	rc = VMXReadVmcs32(VMX_VMCS16_HOST_FS_SEL, &u32Val); AssertRC(rc);
5044	Log4(("Host FS %#08x\n", u32Val));
5045	if (u32Val < HostGdtr.cbGdt)
5046	{
5047	pDesc = (PCX86DESCHC)(HostGdtr.pGdt + (u32Val & X86_SEL_MASK));
5048	HMR0DumpDescriptor(pDesc, u32Val, "FS: ");
5049	}
5050
5051	rc = VMXReadVmcs32(VMX_VMCS16_HOST_GS_SEL, &u32Val); AssertRC(rc);
5052	Log4(("Host GS %#08x\n", u32Val));
5053	if (u32Val < HostGdtr.cbGdt)
5054	{
5055	pDesc = (PCX86DESCHC)(HostGdtr.pGdt + (u32Val & X86_SEL_MASK));
5056	HMR0DumpDescriptor(pDesc, u32Val, "GS: ");
5057	}
5058
5059	rc = VMXReadVmcs32(VMX_VMCS16_HOST_SS_SEL, &u32Val); AssertRC(rc);
5060	Log4(("Host SS %#08x\n", u32Val));
5061	if (u32Val < HostGdtr.cbGdt)
5062	{
5063	pDesc = (PCX86DESCHC)(HostGdtr.pGdt + (u32Val & X86_SEL_MASK));
5064	HMR0DumpDescriptor(pDesc, u32Val, "SS: ");
5065	}
5066
5067	rc = VMXReadVmcs32(VMX_VMCS16_HOST_TR_SEL, &u32Val); AssertRC(rc);
5068	Log4(("Host TR %#08x\n", u32Val));
5069	if (u32Val < HostGdtr.cbGdt)
5070	{
5071	pDesc = (PCX86DESCHC)(HostGdtr.pGdt + (u32Val & X86_SEL_MASK));
5072	HMR0DumpDescriptor(pDesc, u32Val, "TR: ");
5073	}
5074
5075	rc = VMXReadVmcsHstN(VMX_VMCS_HOST_TR_BASE, &uHCReg); AssertRC(rc);
5076	Log4(("Host TR Base %#RHv\n", uHCReg));
5077	rc = VMXReadVmcsHstN(VMX_VMCS_HOST_GDTR_BASE, &uHCReg); AssertRC(rc);
5078	Log4(("Host GDTR Base %#RHv\n", uHCReg));
5079	rc = VMXReadVmcsHstN(VMX_VMCS_HOST_IDTR_BASE, &uHCReg); AssertRC(rc);
5080	Log4(("Host IDTR Base %#RHv\n", uHCReg));
5081	rc = VMXReadVmcs32(VMX_VMCS32_HOST_SYSENTER_CS, &u32Val); AssertRC(rc);
5082	Log4(("Host SYSENTER CS %#08x\n", u32Val));
5083	rc = VMXReadVmcsHstN(VMX_VMCS_HOST_SYSENTER_EIP, &uHCReg); AssertRC(rc);
5084	Log4(("Host SYSENTER EIP %#RHv\n", uHCReg));
5085	rc = VMXReadVmcsHstN(VMX_VMCS_HOST_SYSENTER_ESP, &uHCReg); AssertRC(rc);
5086	Log4(("Host SYSENTER ESP %#RHv\n", uHCReg));
5087	rc = VMXReadVmcsHstN(VMX_VMCS_HOST_RSP, &uHCReg); AssertRC(rc);
5088	Log4(("Host RSP %#RHv\n", uHCReg));
5089	rc = VMXReadVmcsHstN(VMX_VMCS_HOST_RIP, &uHCReg); AssertRC(rc);
5090	Log4(("Host RIP %#RHv\n", uHCReg));
5091	# if HC_ARCH_BITS == 64
5092	Log4(("MSR_K6_EFER = %#RX64\n", ASMRdMsr(MSR_K6_EFER)));
5093	Log4(("MSR_K8_CSTAR = %#RX64\n", ASMRdMsr(MSR_K8_CSTAR)));
5094	Log4(("MSR_K8_LSTAR = %#RX64\n", ASMRdMsr(MSR_K8_LSTAR)));
5095	Log4(("MSR_K6_STAR = %#RX64\n", ASMRdMsr(MSR_K6_STAR)));
5096	Log4(("MSR_K8_SF_MASK = %#RX64\n", ASMRdMsr(MSR_K8_SF_MASK)));
5097	Log4(("MSR_K8_KERNEL_GS_BASE = %#RX64\n", ASMRdMsr(MSR_K8_KERNEL_GS_BASE)));
5098	# endif
5099	#endif /* VBOX_STRICT */
5100	break;
5101	}
5102
5103	default:
5104	/* Impossible */
5105	AssertMsgFailed(("hmR0VmxReportWorldSwitchError %Rrc (%#x)\n", rcVMRun, rcVMRun));
5106	break;
5107	}
5108	NOREF(pVM); NOREF(pCtx);
5109	}
5110
5111
5112	#if HC_ARCH_BITS == 32 && defined(VBOX_ENABLE_64_BITS_GUESTS)
5113	#ifndef VMX_USE_CACHED_VMCS_ACCESSES
5114	# error "VMX_USE_CACHED_VMCS_ACCESSES not defined when it should be!"
5115	#endif
5116	#ifdef VBOX_STRICT
5117	static bool hmR0VmxIsValidWriteField(uint32_t idxField)
5118	{
5119	switch (idxField)
5120	{
5121	case VMX_VMCS_GUEST_RIP:
5122	case VMX_VMCS_GUEST_RSP:
5123	case VMX_VMCS_GUEST_SYSENTER_EIP:
5124	case VMX_VMCS_GUEST_SYSENTER_ESP:
5125	case VMX_VMCS_GUEST_GDTR_BASE:
5126	case VMX_VMCS_GUEST_IDTR_BASE:
5127	case VMX_VMCS_GUEST_CS_BASE:
5128	case VMX_VMCS_GUEST_DS_BASE:
5129	case VMX_VMCS_GUEST_ES_BASE:
5130	case VMX_VMCS_GUEST_FS_BASE:
5131	case VMX_VMCS_GUEST_GS_BASE:
5132	case VMX_VMCS_GUEST_SS_BASE:
5133	case VMX_VMCS_GUEST_LDTR_BASE:
5134	case VMX_VMCS_GUEST_TR_BASE:
5135	case VMX_VMCS_GUEST_CR3:
5136	return true;
5137	}
5138	return false;
5139	}
5140
5141	static bool hmR0VmxIsValidReadField(uint32_t idxField)
5142	{
5143	switch (idxField)
5144	{
5145	/* Read-only fields. */
5146	case VMX_VMCS_RO_EXIT_QUALIFICATION:
5147	return true;
5148	}
5149	/* Remaining readable fields should also be writable. */
5150	return hmR0VmxIsValidWriteField(idxField);
5151	}
5152	#endif /* VBOX_STRICT */
5153
5154
5155	/**
5156	* Executes the specified handler in 64-bit mode.
5157	*
5158	* @returns VBox status code (no informational status codes).
5159	* @param pVM The cross context VM structure.
5160	* @param pVCpu The cross context virtual CPU structure.
5161	* @param pCtx Pointer to the guest CPU context.
5162	* @param enmOp The operation to perform.
5163	* @param cParams Number of parameters.
5164	* @param paParam Array of 32-bit parameters.
5165	*/
5166	VMMR0DECL(int) VMXR0Execute64BitsHandler(PVM pVM, PVMCPU pVCpu, PCPUMCTX pCtx, HM64ON32OP enmOp,
5167	uint32_t cParams, uint32_t *paParam)
5168	{
5169	NOREF(pCtx);
5170
5171	AssertReturn(pVM->hm.s.pfnHost32ToGuest64R0, VERR_HM_NO_32_TO_64_SWITCHER);
5172	Assert(enmOp > HM64ON32OP_INVALID && enmOp < HM64ON32OP_END);
5173	Assert(pVCpu->hm.s.vmx.VMCSCache.Write.cValidEntries <= RT_ELEMENTS(pVCpu->hm.s.vmx.VMCSCache.Write.aField));
5174	Assert(pVCpu->hm.s.vmx.VMCSCache.Read.cValidEntries <= RT_ELEMENTS(pVCpu->hm.s.vmx.VMCSCache.Read.aField));
5175
5176	#ifdef VBOX_STRICT
5177	for (uint32_t i = 0; i < pVCpu->hm.s.vmx.VMCSCache.Write.cValidEntries; i++)
5178	Assert(hmR0VmxIsValidWriteField(pVCpu->hm.s.vmx.VMCSCache.Write.aField[i]));
5179
5180	for (uint32_t i = 0; i <pVCpu->hm.s.vmx.VMCSCache.Read.cValidEntries; i++)
5181	Assert(hmR0VmxIsValidReadField(pVCpu->hm.s.vmx.VMCSCache.Read.aField[i]));
5182	#endif
5183
5184	/* Disable interrupts. */
5185	RTCCUINTREG fOldEFlags = ASMIntDisableFlags();
5186
5187	#ifdef VBOX_WITH_VMMR0_DISABLE_LAPIC_NMI
5188	RTCPUID idHostCpu = RTMpCpuId();
5189	CPUMR0SetLApic(pVCpu, idHostCpu);
5190	#endif
5191
5192	PHMGLOBALCPUINFO pCpu = HMR0GetCurrentCpu();
5193	RTHCPHYS HCPhysCpuPage = pCpu->HCPhysMemObj;
5194
5195	/* Clear VMCS. Marking it inactive, clearing implementation-specific data and writing VMCS data back to memory. */
5196	VMXClearVmcs(pVCpu->hm.s.vmx.HCPhysVmcs);
5197
5198	/* Leave VMX Root Mode. */
5199	VMXDisable();
5200
5201	SUPR0ChangeCR4(0, ~X86_CR4_VMXE);
5202
5203	CPUMSetHyperESP(pVCpu, VMMGetStackRC(pVCpu));
5204	CPUMSetHyperEIP(pVCpu, enmOp);
5205	for (int i = (int)cParams - 1; i >= 0; i--)
5206	CPUMPushHyper(pVCpu, paParam[i]);
5207
5208	STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatWorldSwitch3264, z);
5209
5210	/* Call the switcher. */
5211	int rc = pVM->hm.s.pfnHost32ToGuest64R0(pVM, RT_OFFSETOF(VM, aCpus[pVCpu->idCpu].cpum) - RT_OFFSETOF(VM, cpum));
5212	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatWorldSwitch3264, z);
5213
5214	/** @todo replace with hmR0VmxEnterRootMode() and hmR0VmxLeaveRootMode(). */
5215	/* Make sure the VMX instructions don't cause #UD faults. */
5216	SUPR0ChangeCR4(X86_CR4_VMXE, ~0);
5217
5218	/* Re-enter VMX Root Mode */
5219	int rc2 = VMXEnable(HCPhysCpuPage);
5220	if (RT_FAILURE(rc2))
5221	{
5222	SUPR0ChangeCR4(0, ~X86_CR4_VMXE);
5223	ASMSetFlags(fOldEFlags);
5224	pVM->hm.s.vmx.HCPhysVmxEnableError = HCPhysCpuPage;
5225	return rc2;
5226	}
5227
5228	rc2 = VMXActivateVmcs(pVCpu->hm.s.vmx.HCPhysVmcs);
5229	AssertRC(rc2);
5230	Assert(!(ASMGetFlags() & X86_EFL_IF));
5231	ASMSetFlags(fOldEFlags);
5232	return rc;
5233	}
5234
5235
5236	/**
5237	* Prepares for and executes VMLAUNCH (64-bit guests) for 32-bit hosts
5238	* supporting 64-bit guests.
5239	*
5240	* @returns VBox status code.
5241	* @param fResume Whether to VMLAUNCH or VMRESUME.
5242	* @param pCtx Pointer to the guest-CPU context.
5243	* @param pCache Pointer to the VMCS cache.
5244	* @param pVM The cross context VM structure.
5245	* @param pVCpu The cross context virtual CPU structure.
5246	*/
5247	DECLASM(int) VMXR0SwitcherStartVM64(RTHCUINT fResume, PCPUMCTX pCtx, PVMCSCACHE pCache, PVM pVM, PVMCPU pVCpu)
5248	{
5249	NOREF(fResume);
5250
5251	PHMGLOBALCPUINFO pCpu = HMR0GetCurrentCpu();
5252	RTHCPHYS HCPhysCpuPage = pCpu->HCPhysMemObj;
5253
5254	#ifdef VBOX_WITH_CRASHDUMP_MAGIC
5255	pCache->uPos = 1;
5256	pCache->interPD = PGMGetInterPaeCR3(pVM);
5257	pCache->pSwitcher = (uint64_t)pVM->hm.s.pfnHost32ToGuest64R0;
5258	#endif
5259
5260	#if defined(DEBUG) && defined(VMX_USE_CACHED_VMCS_ACCESSES)
5261	pCache->TestIn.HCPhysCpuPage = 0;
5262	pCache->TestIn.HCPhysVmcs = 0;
5263	pCache->TestIn.pCache = 0;
5264	pCache->TestOut.HCPhysVmcs = 0;
5265	pCache->TestOut.pCache = 0;
5266	pCache->TestOut.pCtx = 0;
5267	pCache->TestOut.eflags = 0;
5268	#else
5269	NOREF(pCache);
5270	#endif
5271
5272	uint32_t aParam[10];
5273	aParam[0] = (uint32_t)(HCPhysCpuPage); /* Param 1: VMXON physical address - Lo. */
5274	aParam[1] = (uint32_t)(HCPhysCpuPage >> 32); /* Param 1: VMXON physical address - Hi. */
5275	aParam[2] = (uint32_t)(pVCpu->hm.s.vmx.HCPhysVmcs); /* Param 2: VMCS physical address - Lo. */
5276	aParam[3] = (uint32_t)(pVCpu->hm.s.vmx.HCPhysVmcs >> 32); /* Param 2: VMCS physical address - Hi. */
5277	aParam[4] = VM_RC_ADDR(pVM, &pVM->aCpus[pVCpu->idCpu].hm.s.vmx.VMCSCache);
5278	aParam[5] = 0;
5279	aParam[6] = VM_RC_ADDR(pVM, pVM);
5280	aParam[7] = 0;
5281	aParam[8] = VM_RC_ADDR(pVM, pVCpu);
5282	aParam[9] = 0;
5283
5284	#ifdef VBOX_WITH_CRASHDUMP_MAGIC
5285	pCtx->dr[4] = pVM->hm.s.vmx.pScratchPhys + 16 + 8;
5286	(uint32_t )(pVM->hm.s.vmx.pScratch + 16 + 8) = 1;
5287	#endif
5288	int rc = VMXR0Execute64BitsHandler(pVM, pVCpu, pCtx, HM64ON32OP_VMXRCStartVM64, RT_ELEMENTS(aParam), &aParam[0]);
5289
5290	#ifdef VBOX_WITH_CRASHDUMP_MAGIC
5291	Assert((uint32_t )(pVM->hm.s.vmx.pScratch + 16 + 8) == 5);
5292	Assert(pCtx->dr[4] == 10);
5293	(uint32_t )(pVM->hm.s.vmx.pScratch + 16 + 8) = 0xff;
5294	#endif
5295
5296	#if defined(DEBUG) && defined(VMX_USE_CACHED_VMCS_ACCESSES)
5297	AssertMsg(pCache->TestIn.HCPhysCpuPage == HCPhysCpuPage, ("%RHp vs %RHp\n", pCache->TestIn.HCPhysCpuPage, HCPhysCpuPage));
5298	AssertMsg(pCache->TestIn.HCPhysVmcs == pVCpu->hm.s.vmx.HCPhysVmcs, ("%RHp vs %RHp\n", pCache->TestIn.HCPhysVmcs,
5299	pVCpu->hm.s.vmx.HCPhysVmcs));
5300	AssertMsg(pCache->TestIn.HCPhysVmcs == pCache->TestOut.HCPhysVmcs, ("%RHp vs %RHp\n", pCache->TestIn.HCPhysVmcs,
5301	pCache->TestOut.HCPhysVmcs));
5302	AssertMsg(pCache->TestIn.pCache == pCache->TestOut.pCache, ("%RGv vs %RGv\n", pCache->TestIn.pCache,
5303	pCache->TestOut.pCache));
5304	AssertMsg(pCache->TestIn.pCache == VM_RC_ADDR(pVM, &pVM->aCpus[pVCpu->idCpu].hm.s.vmx.VMCSCache),
5305	("%RGv vs %RGv\n", pCache->TestIn.pCache, VM_RC_ADDR(pVM, &pVM->aCpus[pVCpu->idCpu].hm.s.vmx.VMCSCache)));
5306	AssertMsg(pCache->TestIn.pCtx == pCache->TestOut.pCtx, ("%RGv vs %RGv\n", pCache->TestIn.pCtx,
5307	pCache->TestOut.pCtx));
5308	Assert(!(pCache->TestOut.eflags & X86_EFL_IF));
5309	#endif
5310	return rc;
5311	}
5312
5313
5314	/**
5315	* Initialize the VMCS-Read cache.
5316	*
5317	* The VMCS cache is used for 32-bit hosts running 64-bit guests (except 32-bit
5318	* Darwin which runs with 64-bit paging in 32-bit mode) for 64-bit fields that
5319	* cannot be accessed in 32-bit mode. Some 64-bit fields -can- be accessed
5320	* (those that have a 32-bit FULL & HIGH part).
5321	*
5322	* @returns VBox status code.
5323	* @param pVM The cross context VM structure.
5324	* @param pVCpu The cross context virtual CPU structure.
5325	*/
5326	static int hmR0VmxInitVmcsReadCache(PVM pVM, PVMCPU pVCpu)
5327	{
5328	#define VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, idxField) \
5329	{ \
5330	Assert(pCache->Read.aField[idxField##_CACHE_IDX] == 0); \
5331	pCache->Read.aField[idxField##_CACHE_IDX] = idxField; \
5332	pCache->Read.aFieldVal[idxField##_CACHE_IDX] = 0; \
5333	++cReadFields; \
5334	}
5335
5336	AssertPtr(pVM);
5337	AssertPtr(pVCpu);
5338	PVMCSCACHE pCache = &pVCpu->hm.s.vmx.VMCSCache;
5339	uint32_t cReadFields = 0;
5340
5341	/*
5342	* Don't remove the #if 0'd fields in this code. They're listed here for consistency
5343	* and serve to indicate exceptions to the rules.
5344	*/
5345
5346	/* Guest-natural selector base fields. */
5347	#if 0
5348	/* These are 32-bit in practice. See Intel spec. 2.5 "Control Registers". */
5349	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_CR0);
5350	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_CR4);
5351	#endif
5352	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_ES_BASE);
5353	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_CS_BASE);
5354	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_SS_BASE);
5355	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_DS_BASE);
5356	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_FS_BASE);
5357	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_GS_BASE);
5358	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_LDTR_BASE);
5359	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_TR_BASE);
5360	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_GDTR_BASE);
5361	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_IDTR_BASE);
5362	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_RSP);
5363	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_RIP);
5364	#if 0
5365	/* Unused natural width guest-state fields. */
5366	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_PENDING_DEBUG_EXCEPTIONS);
5367	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_CR3); /* Handled in Nested Paging case */
5368	#endif
5369	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_SYSENTER_ESP);
5370	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_SYSENTER_EIP);
5371
5372	/* 64-bit guest-state fields; unused as we use two 32-bit VMREADs for these 64-bit fields (using "FULL" and "HIGH" fields). */
5373	#if 0
5374	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS64_GUEST_VMCS_LINK_PTR_FULL);
5375	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS64_GUEST_DEBUGCTL_FULL);
5376	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS64_GUEST_PAT_FULL);
5377	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS64_GUEST_EFER_FULL);
5378	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS64_GUEST_PERF_GLOBAL_CTRL_FULL);
5379	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS64_GUEST_PDPTE0_FULL);
5380	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS64_GUEST_PDPTE1_FULL);
5381	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS64_GUEST_PDPTE2_FULL);
5382	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS64_GUEST_PDPTE3_FULL);
5383	#endif
5384
5385	/* Natural width guest-state fields. */
5386	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_RO_EXIT_QUALIFICATION);
5387	#if 0
5388	/* Currently unused field. */
5389	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_RO_EXIT_GUEST_LINEAR_ADDR);
5390	#endif
5391
5392	if (pVM->hm.s.fNestedPaging)
5393	{
5394	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_CR3);
5395	AssertMsg(cReadFields == VMX_VMCS_MAX_NESTED_PAGING_CACHE_IDX, ("cReadFields=%u expected %u\n", cReadFields,
5396	VMX_VMCS_MAX_NESTED_PAGING_CACHE_IDX));
5397	pCache->Read.cValidEntries = VMX_VMCS_MAX_NESTED_PAGING_CACHE_IDX;
5398	}
5399	else
5400	{
5401	AssertMsg(cReadFields == VMX_VMCS_MAX_CACHE_IDX, ("cReadFields=%u expected %u\n", cReadFields, VMX_VMCS_MAX_CACHE_IDX));
5402	pCache->Read.cValidEntries = VMX_VMCS_MAX_CACHE_IDX;
5403	}
5404
5405	#undef VMXLOCAL_INIT_READ_CACHE_FIELD
5406	return VINF_SUCCESS;
5407	}
5408
5409
5410	/**
5411	* Writes a field into the VMCS. This can either directly invoke a VMWRITE or
5412	* queue up the VMWRITE by using the VMCS write cache (on 32-bit hosts, except
5413	* darwin, running 64-bit guests).
5414	*
5415	* @returns VBox status code.
5416	* @param pVCpu The cross context virtual CPU structure.
5417	* @param idxField The VMCS field encoding.
5418	* @param u64Val 16, 32 or 64-bit value.
5419	*/
5420	VMMR0DECL(int) VMXWriteVmcs64Ex(PVMCPU pVCpu, uint32_t idxField, uint64_t u64Val)
5421	{
5422	int rc;
5423	switch (idxField)
5424	{
5425	/*
5426	* These fields consists of a "FULL" and a "HIGH" part which can be written to individually.
5427	*/
5428	/* 64-bit Control fields. */
5429	case VMX_VMCS64_CTRL_IO_BITMAP_A_FULL:
5430	case VMX_VMCS64_CTRL_IO_BITMAP_B_FULL:
5431	case VMX_VMCS64_CTRL_MSR_BITMAP_FULL:
5432	case VMX_VMCS64_CTRL_EXIT_MSR_STORE_FULL:
5433	case VMX_VMCS64_CTRL_EXIT_MSR_LOAD_FULL:
5434	case VMX_VMCS64_CTRL_ENTRY_MSR_LOAD_FULL:
5435	case VMX_VMCS64_CTRL_EXEC_VMCS_PTR_FULL:
5436	case VMX_VMCS64_CTRL_TSC_OFFSET_FULL:
5437	case VMX_VMCS64_CTRL_VAPIC_PAGEADDR_FULL:
5438	case VMX_VMCS64_CTRL_APIC_ACCESSADDR_FULL:
5439	case VMX_VMCS64_CTRL_VMFUNC_CTRLS_FULL:
5440	case VMX_VMCS64_CTRL_EPTP_FULL:
5441	case VMX_VMCS64_CTRL_EPTP_LIST_FULL:
5442	/* 64-bit Guest-state fields. */
5443	case VMX_VMCS64_GUEST_VMCS_LINK_PTR_FULL:
5444	case VMX_VMCS64_GUEST_DEBUGCTL_FULL:
5445	case VMX_VMCS64_GUEST_PAT_FULL:
5446	case VMX_VMCS64_GUEST_EFER_FULL:
5447	case VMX_VMCS64_GUEST_PERF_GLOBAL_CTRL_FULL:
5448	case VMX_VMCS64_GUEST_PDPTE0_FULL:
5449	case VMX_VMCS64_GUEST_PDPTE1_FULL:
5450	case VMX_VMCS64_GUEST_PDPTE2_FULL:
5451	case VMX_VMCS64_GUEST_PDPTE3_FULL:
5452	/* 64-bit Host-state fields. */
5453	case VMX_VMCS64_HOST_PAT_FULL:
5454	case VMX_VMCS64_HOST_EFER_FULL:
5455	case VMX_VMCS64_HOST_PERF_GLOBAL_CTRL_FULL:
5456	{
5457	rc = VMXWriteVmcs32(idxField, u64Val);
5458	rc \|= VMXWriteVmcs32(idxField + 1, (uint32_t)(u64Val >> 32));
5459	break;
5460	}
5461
5462	/*
5463	* These fields do not have high and low parts. Queue up the VMWRITE by using the VMCS write-cache (for 64-bit
5464	* values). When we switch the host to 64-bit mode for running 64-bit guests, these VMWRITEs get executed then.
5465	*/
5466	/* Natural-width Guest-state fields. */
5467	case VMX_VMCS_GUEST_CR3:
5468	case VMX_VMCS_GUEST_ES_BASE:
5469	case VMX_VMCS_GUEST_CS_BASE:
5470	case VMX_VMCS_GUEST_SS_BASE:
5471	case VMX_VMCS_GUEST_DS_BASE:
5472	case VMX_VMCS_GUEST_FS_BASE:
5473	case VMX_VMCS_GUEST_GS_BASE:
5474	case VMX_VMCS_GUEST_LDTR_BASE:
5475	case VMX_VMCS_GUEST_TR_BASE:
5476	case VMX_VMCS_GUEST_GDTR_BASE:
5477	case VMX_VMCS_GUEST_IDTR_BASE:
5478	case VMX_VMCS_GUEST_RSP:
5479	case VMX_VMCS_GUEST_RIP:
5480	case VMX_VMCS_GUEST_SYSENTER_ESP:
5481	case VMX_VMCS_GUEST_SYSENTER_EIP:
5482	{
5483	if (!(u64Val >> 32))
5484	{
5485	/* If this field is 64-bit, VT-x will zero out the top bits. */
5486	rc = VMXWriteVmcs32(idxField, (uint32_t)u64Val);
5487	}
5488	else
5489	{
5490	/* Assert that only the 32->64 switcher case should ever come here. */
5491	Assert(pVCpu->CTX_SUFF(pVM)->hm.s.fAllow64BitGuests);
5492	rc = VMXWriteCachedVmcsEx(pVCpu, idxField, u64Val);
5493	}
5494	break;
5495	}
5496
5497	default:
5498	{
5499	AssertMsgFailed(("VMXWriteVmcs64Ex: Invalid field %#RX32 (pVCpu=%p u64Val=%#RX64)\n", idxField, pVCpu, u64Val));
5500	rc = VERR_INVALID_PARAMETER;
5501	break;
5502	}
5503	}
5504	AssertRCReturn(rc, rc);
5505	return rc;
5506	}
5507
5508
5509	/**
5510	* Queue up a VMWRITE by using the VMCS write cache.
5511	* This is only used on 32-bit hosts (except darwin) for 64-bit guests.
5512	*
5513	* @param pVCpu The cross context virtual CPU structure.
5514	* @param idxField The VMCS field encoding.
5515	* @param u64Val 16, 32 or 64-bit value.
5516	*/
5517	VMMR0DECL(int) VMXWriteCachedVmcsEx(PVMCPU pVCpu, uint32_t idxField, uint64_t u64Val)
5518	{
5519	AssertPtr(pVCpu);
5520	PVMCSCACHE pCache = &pVCpu->hm.s.vmx.VMCSCache;
5521
5522	AssertMsgReturn(pCache->Write.cValidEntries < VMCSCACHE_MAX_ENTRY - 1,
5523	("entries=%u\n", pCache->Write.cValidEntries), VERR_ACCESS_DENIED);
5524
5525	/* Make sure there are no duplicates. */
5526	for (uint32_t i = 0; i < pCache->Write.cValidEntries; i++)
5527	{
5528	if (pCache->Write.aField[i] == idxField)
5529	{
5530	pCache->Write.aFieldVal[i] = u64Val;
5531	return VINF_SUCCESS;
5532	}
5533	}
5534
5535	pCache->Write.aField[pCache->Write.cValidEntries] = idxField;
5536	pCache->Write.aFieldVal[pCache->Write.cValidEntries] = u64Val;
5537	pCache->Write.cValidEntries++;
5538	return VINF_SUCCESS;
5539	}
5540	#endif /* HC_ARCH_BITS == 32 && defined(VBOX_ENABLE_64_BITS_GUESTS) */
5541
5542
5543	/**
5544	* Sets up the usage of TSC-offsetting and updates the VMCS.
5545	*
5546	* If offsetting is not possible, cause VM-exits on RDTSC(P)s. Also sets up the
5547	* VMX preemption timer.
5548	*
5549	* @returns VBox status code.
5550	* @param pVM The cross context VM structure.
5551	* @param pVCpu The cross context virtual CPU structure.
5552	*
5553	* @remarks No-long-jump zone!!!
5554	*/
5555	static void hmR0VmxUpdateTscOffsettingAndPreemptTimer(PVM pVM, PVMCPU pVCpu)
5556	{
5557	int rc;
5558	bool fOffsettedTsc;
5559	bool fParavirtTsc;
5560	if (pVM->hm.s.vmx.fUsePreemptTimer)
5561	{
5562	uint64_t cTicksToDeadline = TMCpuTickGetDeadlineAndTscOffset(pVM, pVCpu, &pVCpu->hm.s.vmx.u64TSCOffset,
5563	&fOffsettedTsc, &fParavirtTsc);
5564
5565	/* Make sure the returned values have sane upper and lower boundaries. */
5566	uint64_t u64CpuHz = SUPGetCpuHzFromGipBySetIndex(g_pSUPGlobalInfoPage, pVCpu->iHostCpuSet);
5567	cTicksToDeadline = RT_MIN(cTicksToDeadline, u64CpuHz / 64); /* 1/64th of a second */
5568	cTicksToDeadline = RT_MAX(cTicksToDeadline, u64CpuHz / 2048); /* 1/2048th of a second */
5569	cTicksToDeadline >>= pVM->hm.s.vmx.cPreemptTimerShift;
5570
5571	uint32_t cPreemptionTickCount = (uint32_t)RT_MIN(cTicksToDeadline, UINT32_MAX - 16);
5572	rc = VMXWriteVmcs32(VMX_VMCS32_GUEST_PREEMPT_TIMER_VALUE, cPreemptionTickCount); AssertRC(rc);
5573	}
5574	else
5575	fOffsettedTsc = TMCpuTickCanUseRealTSC(pVM, pVCpu, &pVCpu->hm.s.vmx.u64TSCOffset, &fParavirtTsc);
5576
5577	/** @todo later optimize this to be done elsewhere and not before every
5578	* VM-entry. */
5579	if (fParavirtTsc)
5580	{
5581	/* Currently neither Hyper-V nor KVM need to update their paravirt. TSC
5582	information before every VM-entry, hence disable it for performance sake. */
5583	#if 0
5584	rc = GIMR0UpdateParavirtTsc(pVM, 0 /* u64Offset */);
5585	AssertRC(rc);
5586	#endif
5587	STAM_COUNTER_INC(&pVCpu->hm.s.StatTscParavirt);
5588	}
5589
5590	if (fOffsettedTsc && RT_LIKELY(!pVCpu->hm.s.fDebugWantRdTscExit))
5591	{
5592	/* Note: VMX_VMCS_CTRL_PROC_EXEC_RDTSC_EXIT takes precedence over TSC_OFFSET, applies to RDTSCP too. */
5593	rc = VMXWriteVmcs64(VMX_VMCS64_CTRL_TSC_OFFSET_FULL, pVCpu->hm.s.vmx.u64TSCOffset); AssertRC(rc);
5594
5595	pVCpu->hm.s.vmx.u32ProcCtls &= ~VMX_VMCS_CTRL_PROC_EXEC_RDTSC_EXIT;
5596	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls); AssertRC(rc);
5597	STAM_COUNTER_INC(&pVCpu->hm.s.StatTscOffset);
5598	}
5599	else
5600	{
5601	/* We can't use TSC-offsetting (non-fixed TSC, warp drive active etc.), VM-exit on RDTSC(P). */
5602	pVCpu->hm.s.vmx.u32ProcCtls \|= VMX_VMCS_CTRL_PROC_EXEC_RDTSC_EXIT;
5603	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls); AssertRC(rc);
5604	STAM_COUNTER_INC(&pVCpu->hm.s.StatTscIntercept);
5605	}
5606	}
5607
5608
5609	/**
5610	* Determines if an exception is a contributory exception.
5611	*
5612	* Contributory exceptions are ones which can cause double-faults unless the
5613	* original exception was a benign exception. Page-fault is intentionally not
5614	* included here as it's a conditional contributory exception.
5615	*
5616	* @returns true if the exception is contributory, false otherwise.
5617	* @param uVector The exception vector.
5618	*/
5619	DECLINLINE(bool) hmR0VmxIsContributoryXcpt(const uint32_t uVector)
5620	{
5621	switch (uVector)
5622	{
5623	case X86_XCPT_GP:
5624	case X86_XCPT_SS:
5625	case X86_XCPT_NP:
5626	case X86_XCPT_TS:
5627	case X86_XCPT_DE:
5628	return true;
5629	default:
5630	break;
5631	}
5632	return false;
5633	}
5634
5635
5636	/**
5637	* Sets an event as a pending event to be injected into the guest.
5638	*
5639	* @param pVCpu The cross context virtual CPU structure.
5640	* @param u32IntInfo The VM-entry interruption-information field.
5641	* @param cbInstr The VM-entry instruction length in bytes (for software
5642	* interrupts, exceptions and privileged software
5643	* exceptions).
5644	* @param u32ErrCode The VM-entry exception error code.
5645	* @param GCPtrFaultAddress The fault-address (CR2) in case it's a
5646	* page-fault.
5647	*
5648	* @remarks Statistics counter assumes this is a guest event being injected or
5649	* re-injected into the guest, i.e. 'StatInjectPendingReflect' is
5650	* always incremented.
5651	*/
5652	DECLINLINE(void) hmR0VmxSetPendingEvent(PVMCPU pVCpu, uint32_t u32IntInfo, uint32_t cbInstr, uint32_t u32ErrCode,
5653	RTGCUINTPTR GCPtrFaultAddress)
5654	{
5655	Assert(!pVCpu->hm.s.Event.fPending);
5656	pVCpu->hm.s.Event.fPending = true;
5657	pVCpu->hm.s.Event.u64IntInfo = u32IntInfo;
5658	pVCpu->hm.s.Event.u32ErrCode = u32ErrCode;
5659	pVCpu->hm.s.Event.cbInstr = cbInstr;
5660	pVCpu->hm.s.Event.GCPtrFaultAddress = GCPtrFaultAddress;
5661	}
5662
5663
5664	/**
5665	* Sets a double-fault (\#DF) exception as pending-for-injection into the VM.
5666	*
5667	* @param pVCpu The cross context virtual CPU structure.
5668	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
5669	* out-of-sync. Make sure to update the required fields
5670	* before using them.
5671	*/
5672	DECLINLINE(void) hmR0VmxSetPendingXcptDF(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
5673	{
5674	NOREF(pMixedCtx);
5675	uint32_t u32IntInfo = X86_XCPT_DF \| VMX_EXIT_INTERRUPTION_INFO_VALID;
5676	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_HW_XCPT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
5677	u32IntInfo \|= VMX_EXIT_INTERRUPTION_INFO_ERROR_CODE_VALID;
5678	hmR0VmxSetPendingEvent(pVCpu, u32IntInfo, 0 /* cbInstr /, 0 / u32ErrCode /, 0 / GCPtrFaultAddress */);
5679	}
5680
5681
5682	/**
5683	* Handle a condition that occurred while delivering an event through the guest
5684	* IDT.
5685	*
5686	* @returns Strict VBox status code (i.e. informational status codes too).
5687	* @retval VINF_SUCCESS if we should continue handling the VM-exit.
5688	* @retval VINF_HM_DOUBLE_FAULT if a \#DF condition was detected and we ought
5689	* to continue execution of the guest which will delivery the \#DF.
5690	* @retval VINF_EM_RESET if we detected a triple-fault condition.
5691	* @retval VERR_EM_GUEST_CPU_HANG if we detected a guest CPU hang.
5692	*
5693	* @param pVCpu The cross context virtual CPU structure.
5694	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
5695	* out-of-sync. Make sure to update the required fields
5696	* before using them.
5697	* @param pVmxTransient Pointer to the VMX transient structure.
5698	*
5699	* @remarks No-long-jump zone!!!
5700	*/
5701	static VBOXSTRICTRC hmR0VmxCheckExitDueToEventDelivery(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
5702	{
5703	uint32_t uExitVector = VMX_EXIT_INTERRUPTION_INFO_VECTOR(pVmxTransient->uExitIntInfo);
5704
5705	int rc2 = hmR0VmxReadIdtVectoringInfoVmcs(pVmxTransient); AssertRCReturn(rc2, rc2);
5706	rc2 = hmR0VmxReadExitIntInfoVmcs(pVmxTransient); AssertRCReturn(rc2, rc2);
5707
5708	VBOXSTRICTRC rcStrict = VINF_SUCCESS;
5709	if (VMX_IDT_VECTORING_INFO_VALID(pVmxTransient->uIdtVectoringInfo))
5710	{
5711	uint32_t uIdtVectorType = VMX_IDT_VECTORING_INFO_TYPE(pVmxTransient->uIdtVectoringInfo);
5712	uint32_t uIdtVector = VMX_IDT_VECTORING_INFO_VECTOR(pVmxTransient->uIdtVectoringInfo);
5713
5714	typedef enum
5715	{
5716	VMXREFLECTXCPT_XCPT, /* Reflect the exception to the guest or for further evaluation by VMM. */
5717	VMXREFLECTXCPT_DF, /* Reflect the exception as a double-fault to the guest. */
5718	VMXREFLECTXCPT_TF, /* Indicate a triple faulted state to the VMM. */
5719	VMXREFLECTXCPT_HANG, /* Indicate bad VM trying to deadlock the CPU. */
5720	VMXREFLECTXCPT_NONE /* Nothing to reflect. */
5721	} VMXREFLECTXCPT;
5722
5723	/* See Intel spec. 30.7.1.1 "Reflecting Exceptions to Guest Software". */
5724	VMXREFLECTXCPT enmReflect = VMXREFLECTXCPT_NONE;
5725	if (VMX_EXIT_INTERRUPTION_INFO_IS_VALID(pVmxTransient->uExitIntInfo))
5726	{
5727	if (uIdtVectorType == VMX_IDT_VECTORING_INFO_TYPE_HW_XCPT)
5728	{
5729	enmReflect = VMXREFLECTXCPT_XCPT;
5730	#ifdef VBOX_STRICT
5731	if ( hmR0VmxIsContributoryXcpt(uIdtVector)
5732	&& uExitVector == X86_XCPT_PF)
5733	{
5734	Log4(("IDT: vcpu[%RU32] Contributory #PF uCR2=%#RX64\n", pVCpu->idCpu, pMixedCtx->cr2));
5735	}
5736	#endif
5737	if ( uExitVector == X86_XCPT_PF
5738	&& uIdtVector == X86_XCPT_PF)
5739	{
5740	pVmxTransient->fVectoringDoublePF = true;
5741	Log4(("IDT: vcpu[%RU32] Vectoring Double #PF uCR2=%#RX64\n", pVCpu->idCpu, pMixedCtx->cr2));
5742	}
5743	else if ( uExitVector == X86_XCPT_AC
5744	&& uIdtVector == X86_XCPT_AC)
5745	{
5746	enmReflect = VMXREFLECTXCPT_HANG;
5747	Log4(("IDT: Nested #AC - Bad guest\n"));
5748	}
5749	else if ( (pVCpu->hm.s.vmx.u32XcptBitmap & HMVMX_CONTRIBUTORY_XCPT_MASK)
5750	&& hmR0VmxIsContributoryXcpt(uExitVector)
5751	&& ( hmR0VmxIsContributoryXcpt(uIdtVector)
5752	\|\| uIdtVector == X86_XCPT_PF))
5753	{
5754	enmReflect = VMXREFLECTXCPT_DF;
5755	}
5756	else if (uIdtVector == X86_XCPT_DF)
5757	enmReflect = VMXREFLECTXCPT_TF;
5758	}
5759	else if ( uIdtVectorType == VMX_IDT_VECTORING_INFO_TYPE_EXT_INT
5760	\|\| uIdtVectorType == VMX_IDT_VECTORING_INFO_TYPE_NMI)
5761	{
5762	/*
5763	* Ignore software interrupts (INT n), software exceptions (#BP, #OF) and
5764	* privileged software exception (#DB from ICEBP) as they reoccur when restarting the instruction.
5765	*/
5766	enmReflect = VMXREFLECTXCPT_XCPT;
5767
5768	if (uExitVector == X86_XCPT_PF)
5769	{
5770	pVmxTransient->fVectoringPF = true;
5771	Log4(("IDT: vcpu[%RU32] Vectoring #PF due to Ext-Int/NMI. uCR2=%#RX64\n", pVCpu->idCpu, pMixedCtx->cr2));
5772	}
5773	}
5774	}
5775	else if ( uIdtVectorType == VMX_IDT_VECTORING_INFO_TYPE_HW_XCPT
5776	\|\| uIdtVectorType == VMX_IDT_VECTORING_INFO_TYPE_EXT_INT
5777	\|\| uIdtVectorType == VMX_IDT_VECTORING_INFO_TYPE_NMI)
5778	{
5779	/*
5780	* If event delivery caused an EPT violation/misconfig or APIC access VM-exit, then the VM-exit
5781	* interruption-information will not be valid as it's not an exception and we end up here. In such cases,
5782	* it is sufficient to reflect the original exception to the guest after handling the VM-exit.
5783	*/
5784	enmReflect = VMXREFLECTXCPT_XCPT;
5785	}
5786
5787	/*
5788	* On CPUs that support Virtual NMIs, if this VM-exit (be it an exception or EPT violation/misconfig etc.) occurred
5789	* while delivering the NMI, we need to clear the block-by-NMI field in the guest interruptibility-state before
5790	* re-delivering the NMI after handling the VM-exit. Otherwise the subsequent VM-entry would fail.
5791	*
5792	* See Intel spec. 30.7.1.2 "Resuming Guest Software after Handling an Exception". See @bugref{7445}.
5793	*/
5794	if ( uIdtVectorType == VMX_IDT_VECTORING_INFO_TYPE_NMI
5795	&& enmReflect == VMXREFLECTXCPT_XCPT
5796	&& (pVCpu->hm.s.vmx.u32PinCtls & VMX_VMCS_CTRL_PIN_EXEC_VIRTUAL_NMI)
5797	&& VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_BLOCK_NMIS))
5798	{
5799	VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_BLOCK_NMIS);
5800	}
5801
5802	switch (enmReflect)
5803	{
5804	case VMXREFLECTXCPT_XCPT:
5805	{
5806	Assert( uIdtVectorType != VMX_IDT_VECTORING_INFO_TYPE_SW_INT
5807	&& uIdtVectorType != VMX_IDT_VECTORING_INFO_TYPE_SW_XCPT
5808	&& uIdtVectorType != VMX_IDT_VECTORING_INFO_TYPE_PRIV_SW_XCPT);
5809
5810	uint32_t u32ErrCode = 0;
5811	if (VMX_IDT_VECTORING_INFO_ERROR_CODE_IS_VALID(pVmxTransient->uIdtVectoringInfo))
5812	{
5813	rc2 = hmR0VmxReadIdtVectoringErrorCodeVmcs(pVmxTransient);
5814	AssertRCReturn(rc2, rc2);
5815	u32ErrCode = pVmxTransient->uIdtVectoringErrorCode;
5816	}
5817
5818	/* If uExitVector is #PF, CR2 value will be updated from the VMCS if it's a guest #PF. See hmR0VmxExitXcptPF(). */
5819	STAM_COUNTER_INC(&pVCpu->hm.s.StatInjectPendingReflect);
5820	hmR0VmxSetPendingEvent(pVCpu, VMX_ENTRY_INT_INFO_FROM_EXIT_IDT_INFO(pVmxTransient->uIdtVectoringInfo),
5821	0 /* cbInstr */, u32ErrCode, pMixedCtx->cr2);
5822	rcStrict = VINF_SUCCESS;
5823	Log4(("IDT: vcpu[%RU32] Pending vectoring event %#RX64 Err=%#RX32\n", pVCpu->idCpu,
5824	pVCpu->hm.s.Event.u64IntInfo, pVCpu->hm.s.Event.u32ErrCode));
5825
5826	break;
5827	}
5828
5829	case VMXREFLECTXCPT_DF:
5830	{
5831	STAM_COUNTER_INC(&pVCpu->hm.s.StatInjectPendingReflect);
5832	hmR0VmxSetPendingXcptDF(pVCpu, pMixedCtx);
5833	rcStrict = VINF_HM_DOUBLE_FAULT;
5834	Log4(("IDT: vcpu[%RU32] Pending vectoring #DF %#RX64 uIdtVector=%#x uExitVector=%#x\n", pVCpu->idCpu,
5835	pVCpu->hm.s.Event.u64IntInfo, uIdtVector, uExitVector));
5836
5837	break;
5838	}
5839
5840	case VMXREFLECTXCPT_TF:
5841	{
5842	rcStrict = VINF_EM_RESET;
5843	Log4(("IDT: vcpu[%RU32] Pending vectoring triple-fault uIdt=%#x uExit=%#x\n", pVCpu->idCpu, uIdtVector,
5844	uExitVector));
5845	break;
5846	}
5847
5848	case VMXREFLECTXCPT_HANG:
5849	{
5850	rcStrict = VERR_EM_GUEST_CPU_HANG;
5851	break;
5852	}
5853
5854	default:
5855	Assert(rcStrict == VINF_SUCCESS);
5856	break;
5857	}
5858	}
5859	else if ( VMX_EXIT_INTERRUPTION_INFO_IS_VALID(pVmxTransient->uExitIntInfo)
5860	&& VMX_EXIT_INTERRUPTION_INFO_NMI_UNBLOCK_IRET(pVmxTransient->uExitIntInfo)
5861	&& uExitVector != X86_XCPT_DF
5862	&& (pVCpu->hm.s.vmx.u32PinCtls & VMX_VMCS_CTRL_PIN_EXEC_VIRTUAL_NMI))
5863	{
5864	/*
5865	* Execution of IRET caused this fault when NMI blocking was in effect (i.e we're in the guest NMI handler).
5866	* We need to set the block-by-NMI field so that NMIs remain blocked until the IRET execution is restarted.
5867	* See Intel spec. 30.7.1.2 "Resuming guest software after handling an exception".
5868	*/
5869	if (!VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_BLOCK_NMIS))
5870	{
5871	Log4(("hmR0VmxCheckExitDueToEventDelivery: vcpu[%RU32] Setting VMCPU_FF_BLOCK_NMIS. Valid=%RTbool uExitReason=%u\n",
5872	pVCpu->idCpu, VMX_EXIT_INTERRUPTION_INFO_IS_VALID(pVmxTransient->uExitIntInfo), pVmxTransient->uExitReason));
5873	VMCPU_FF_SET(pVCpu, VMCPU_FF_BLOCK_NMIS);
5874	}
5875	}
5876
5877	Assert( rcStrict == VINF_SUCCESS \|\| rcStrict == VINF_HM_DOUBLE_FAULT
5878	\|\| rcStrict == VINF_EM_RESET \|\| rcStrict == VERR_EM_GUEST_CPU_HANG);
5879	return rcStrict;
5880	}
5881
5882
5883	/**
5884	* Saves the guest's CR0 register from the VMCS into the guest-CPU context.
5885	*
5886	* @returns VBox status code.
5887	* @param pVCpu The cross context virtual CPU structure.
5888	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
5889	* out-of-sync. Make sure to update the required fields
5890	* before using them.
5891	*
5892	* @remarks No-long-jump zone!!!
5893	*/
5894	static int hmR0VmxSaveGuestCR0(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
5895	{
5896	NOREF(pMixedCtx);
5897
5898	/*
5899	* While in the middle of saving guest-CR0, we could get preempted and re-invoked from the preemption hook,
5900	* see hmR0VmxLeave(). Safer to just make this code non-preemptible.
5901	*/
5902	VMMRZCallRing3Disable(pVCpu);
5903	HM_DISABLE_PREEMPT();
5904
5905	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_CR0))
5906	{
5907	uint32_t uVal = 0;
5908	uint32_t uShadow = 0;
5909	int rc = VMXReadVmcs32(VMX_VMCS_GUEST_CR0, &uVal);
5910	rc \|= VMXReadVmcs32(VMX_VMCS_CTRL_CR0_READ_SHADOW, &uShadow);
5911	AssertRCReturn(rc, rc);
5912
5913	uVal = (uShadow & pVCpu->hm.s.vmx.u32CR0Mask) \| (uVal & ~pVCpu->hm.s.vmx.u32CR0Mask);
5914	CPUMSetGuestCR0(pVCpu, uVal);
5915	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_CR0);
5916	}
5917
5918	HM_RESTORE_PREEMPT();
5919	VMMRZCallRing3Enable(pVCpu);
5920	return VINF_SUCCESS;
5921	}
5922
5923
5924	/**
5925	* Saves the guest's CR4 register from the VMCS into the guest-CPU context.
5926	*
5927	* @returns VBox status code.
5928	* @param pVCpu The cross context virtual CPU structure.
5929	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
5930	* out-of-sync. Make sure to update the required fields
5931	* before using them.
5932	*
5933	* @remarks No-long-jump zone!!!
5934	*/
5935	static int hmR0VmxSaveGuestCR4(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
5936	{
5937	NOREF(pMixedCtx);
5938
5939	int rc = VINF_SUCCESS;
5940	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_CR4))
5941	{
5942	uint32_t uVal = 0;
5943	uint32_t uShadow = 0;
5944	rc = VMXReadVmcs32(VMX_VMCS_GUEST_CR4, &uVal);
5945	rc \|= VMXReadVmcs32(VMX_VMCS_CTRL_CR4_READ_SHADOW, &uShadow);
5946	AssertRCReturn(rc, rc);
5947
5948	uVal = (uShadow & pVCpu->hm.s.vmx.u32CR4Mask) \| (uVal & ~pVCpu->hm.s.vmx.u32CR4Mask);
5949	CPUMSetGuestCR4(pVCpu, uVal);
5950	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_CR4);
5951	}
5952	return rc;
5953	}
5954
5955
5956	/**
5957	* Saves the guest's RIP register from the VMCS into the guest-CPU context.
5958	*
5959	* @returns VBox status code.
5960	* @param pVCpu The cross context virtual CPU structure.
5961	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
5962	* out-of-sync. Make sure to update the required fields
5963	* before using them.
5964	*
5965	* @remarks No-long-jump zone!!!
5966	*/
5967	static int hmR0VmxSaveGuestRip(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
5968	{
5969	int rc = VINF_SUCCESS;
5970	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_RIP))
5971	{
5972	uint64_t u64Val = 0;
5973	rc = VMXReadVmcsGstN(VMX_VMCS_GUEST_RIP, &u64Val);
5974	AssertRCReturn(rc, rc);
5975
5976	pMixedCtx->rip = u64Val;
5977	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_RIP);
5978	}
5979	return rc;
5980	}
5981
5982
5983	/**
5984	* Saves the guest's RSP register from the VMCS into the guest-CPU context.
5985	*
5986	* @returns VBox status code.
5987	* @param pVCpu The cross context virtual CPU structure.
5988	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
5989	* out-of-sync. Make sure to update the required fields
5990	* before using them.
5991	*
5992	* @remarks No-long-jump zone!!!
5993	*/
5994	static int hmR0VmxSaveGuestRsp(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
5995	{
5996	int rc = VINF_SUCCESS;
5997	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_RSP))
5998	{
5999	uint64_t u64Val = 0;
6000	rc = VMXReadVmcsGstN(VMX_VMCS_GUEST_RSP, &u64Val);
6001	AssertRCReturn(rc, rc);
6002
6003	pMixedCtx->rsp = u64Val;
6004	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_RSP);
6005	}
6006	return rc;
6007	}
6008
6009
6010	/**
6011	* Saves the guest's RFLAGS from the VMCS into the guest-CPU context.
6012	*
6013	* @returns VBox status code.
6014	* @param pVCpu The cross context virtual CPU structure.
6015	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
6016	* out-of-sync. Make sure to update the required fields
6017	* before using them.
6018	*
6019	* @remarks No-long-jump zone!!!
6020	*/
6021	static int hmR0VmxSaveGuestRflags(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6022	{
6023	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_RFLAGS))
6024	{
6025	uint32_t uVal = 0;
6026	int rc = VMXReadVmcs32(VMX_VMCS_GUEST_RFLAGS, &uVal);
6027	AssertRCReturn(rc, rc);
6028
6029	pMixedCtx->eflags.u32 = uVal;
6030	if (pVCpu->hm.s.vmx.RealMode.fRealOnV86Active) /* Undo our real-on-v86-mode changes to eflags if necessary. */
6031	{
6032	Assert(pVCpu->CTX_SUFF(pVM)->hm.s.vmx.pRealModeTSS);
6033	Log4(("Saving real-mode EFLAGS VT-x view=%#RX32\n", pMixedCtx->eflags.u32));
6034
6035	pMixedCtx->eflags.Bits.u1VM = 0;
6036	pMixedCtx->eflags.Bits.u2IOPL = pVCpu->hm.s.vmx.RealMode.Eflags.Bits.u2IOPL;
6037	}
6038
6039	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_RFLAGS);
6040	}
6041	return VINF_SUCCESS;
6042	}
6043
6044
6045	/**
6046	* Wrapper for saving the guest's RIP, RSP and RFLAGS from the VMCS into the
6047	* guest-CPU context.
6048	*/
6049	DECLINLINE(int) hmR0VmxSaveGuestRipRspRflags(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6050	{
6051	int rc = hmR0VmxSaveGuestRip(pVCpu, pMixedCtx);
6052	rc \|= hmR0VmxSaveGuestRsp(pVCpu, pMixedCtx);
6053	rc \|= hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx);
6054	return rc;
6055	}
6056
6057
6058	/**
6059	* Saves the guest's interruptibility-state ("interrupt shadow" as AMD calls it)
6060	* from the guest-state area in the VMCS.
6061	*
6062	* @param pVCpu The cross context virtual CPU structure.
6063	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
6064	* out-of-sync. Make sure to update the required fields
6065	* before using them.
6066	*
6067	* @remarks No-long-jump zone!!!
6068	*/
6069	static void hmR0VmxSaveGuestIntrState(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6070	{
6071	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_INTR_STATE))
6072	{
6073	uint32_t uIntrState = 0;
6074	int rc = VMXReadVmcs32(VMX_VMCS32_GUEST_INTERRUPTIBILITY_STATE, &uIntrState);
6075	AssertRC(rc);
6076
6077	if (!uIntrState)
6078	{
6079	if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_INHIBIT_INTERRUPTS))
6080	VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_INHIBIT_INTERRUPTS);
6081
6082	if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_BLOCK_NMIS))
6083	VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_BLOCK_NMIS);
6084	}
6085	else
6086	{
6087	if (uIntrState & ( VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_MOVSS
6088	\| VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI))
6089	{
6090	rc = hmR0VmxSaveGuestRip(pVCpu, pMixedCtx);
6091	AssertRC(rc);
6092	rc = hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx); /* for hmR0VmxGetGuestIntrState(). */
6093	AssertRC(rc);
6094
6095	EMSetInhibitInterruptsPC(pVCpu, pMixedCtx->rip);
6096	Assert(VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_INHIBIT_INTERRUPTS));
6097	}
6098	else if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_INHIBIT_INTERRUPTS))
6099	VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_INHIBIT_INTERRUPTS);
6100
6101	if (uIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_NMI)
6102	{
6103	if (!VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_BLOCK_NMIS))
6104	VMCPU_FF_SET(pVCpu, VMCPU_FF_BLOCK_NMIS);
6105	}
6106	else if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_BLOCK_NMIS))
6107	VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_BLOCK_NMIS);
6108	}
6109
6110	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_INTR_STATE);
6111	}
6112	}
6113
6114
6115	/**
6116	* Saves the guest's activity state.
6117	*
6118	* @returns VBox status code.
6119	* @param pVCpu The cross context virtual CPU structure.
6120	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
6121	* out-of-sync. Make sure to update the required fields
6122	* before using them.
6123	*
6124	* @remarks No-long-jump zone!!!
6125	*/
6126	static int hmR0VmxSaveGuestActivityState(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6127	{
6128	NOREF(pMixedCtx);
6129	/* Nothing to do for now until we make use of different guest-CPU activity state. Just update the flag. */
6130	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_ACTIVITY_STATE);
6131	return VINF_SUCCESS;
6132	}
6133
6134
6135	/**
6136	* Saves the guest SYSENTER MSRs (SYSENTER_CS, SYSENTER_EIP, SYSENTER_ESP) from
6137	* the current VMCS into the guest-CPU context.
6138	*
6139	* @returns VBox status code.
6140	* @param pVCpu The cross context virtual CPU structure.
6141	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
6142	* out-of-sync. Make sure to update the required fields
6143	* before using them.
6144	*
6145	* @remarks No-long-jump zone!!!
6146	*/
6147	static int hmR0VmxSaveGuestSysenterMsrs(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6148	{
6149	int rc = VINF_SUCCESS;
6150	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_SYSENTER_CS_MSR))
6151	{
6152	uint32_t u32Val = 0;
6153	rc = VMXReadVmcs32(VMX_VMCS32_GUEST_SYSENTER_CS, &u32Val); AssertRCReturn(rc, rc);
6154	pMixedCtx->SysEnter.cs = u32Val;
6155	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_SYSENTER_CS_MSR);
6156	}
6157
6158	uint64_t u64Val = 0;
6159	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_SYSENTER_EIP_MSR))
6160	{
6161	rc = VMXReadVmcsGstN(VMX_VMCS_GUEST_SYSENTER_EIP, &u64Val); AssertRCReturn(rc, rc);
6162	pMixedCtx->SysEnter.eip = u64Val;
6163	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_SYSENTER_EIP_MSR);
6164	}
6165	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_SYSENTER_ESP_MSR))
6166	{
6167	rc = VMXReadVmcsGstN(VMX_VMCS_GUEST_SYSENTER_ESP, &u64Val); AssertRCReturn(rc, rc);
6168	pMixedCtx->SysEnter.esp = u64Val;
6169	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_SYSENTER_ESP_MSR);
6170	}
6171	return rc;
6172	}
6173
6174
6175	/**
6176	* Saves the set of guest MSRs (that we restore lazily while leaving VT-x) from
6177	* the CPU back into the guest-CPU context.
6178	*
6179	* @returns VBox status code.
6180	* @param pVCpu The cross context virtual CPU structure.
6181	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
6182	* out-of-sync. Make sure to update the required fields
6183	* before using them.
6184	*
6185	* @remarks No-long-jump zone!!!
6186	*/
6187	static int hmR0VmxSaveGuestLazyMsrs(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6188	{
6189	/* Since this can be called from our preemption hook it's safer to make the guest-MSRs update non-preemptible. */
6190	VMMRZCallRing3Disable(pVCpu);
6191	HM_DISABLE_PREEMPT();
6192
6193	/* Doing the check here ensures we don't overwrite already-saved guest MSRs from a preemption hook. */
6194	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_LAZY_MSRS))
6195	{
6196	hmR0VmxLazySaveGuestMsrs(pVCpu, pMixedCtx);
6197	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_LAZY_MSRS);
6198	}
6199
6200	HM_RESTORE_PREEMPT();
6201	VMMRZCallRing3Enable(pVCpu);
6202
6203	return VINF_SUCCESS;
6204	}
6205
6206
6207	/**
6208	* Saves the auto load/store'd guest MSRs from the current VMCS into
6209	* the guest-CPU context.
6210	*
6211	* @returns VBox status code.
6212	* @param pVCpu The cross context virtual CPU structure.
6213	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
6214	* out-of-sync. Make sure to update the required fields
6215	* before using them.
6216	*
6217	* @remarks No-long-jump zone!!!
6218	*/
6219	static int hmR0VmxSaveGuestAutoLoadStoreMsrs(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6220	{
6221	if (HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_AUTO_LOAD_STORE_MSRS))
6222	return VINF_SUCCESS;
6223
6224	PVMXAUTOMSR pMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvGuestMsr;
6225	uint32_t cMsrs = pVCpu->hm.s.vmx.cMsrs;
6226	Log4(("hmR0VmxSaveGuestAutoLoadStoreMsrs: cMsrs=%u\n", cMsrs));
6227	for (uint32_t i = 0; i < cMsrs; i++, pMsr++)
6228	{
6229	switch (pMsr->u32Msr)
6230	{
6231	case MSR_K8_TSC_AUX: CPUMR0SetGuestTscAux(pVCpu, pMsr->u64Value); break;
6232	case MSR_K8_LSTAR: pMixedCtx->msrLSTAR = pMsr->u64Value; break;
6233	case MSR_K6_STAR: pMixedCtx->msrSTAR = pMsr->u64Value; break;
6234	case MSR_K8_SF_MASK: pMixedCtx->msrSFMASK = pMsr->u64Value; break;
6235	case MSR_K8_KERNEL_GS_BASE: pMixedCtx->msrKERNELGSBASE = pMsr->u64Value; break;
6236	case MSR_K6_EFER: /* Nothing to do here since we intercept writes, see hmR0VmxLoadGuestMsrs(). */
6237	break;
6238
6239	default:
6240	{
6241	AssertMsgFailed(("Unexpected MSR in auto-load/store area. uMsr=%#RX32 cMsrs=%u\n", pMsr->u32Msr, cMsrs));
6242	pVCpu->hm.s.u32HMError = pMsr->u32Msr;
6243	return VERR_HM_UNEXPECTED_LD_ST_MSR;
6244	}
6245	}
6246	}
6247
6248	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_AUTO_LOAD_STORE_MSRS);
6249	return VINF_SUCCESS;
6250	}
6251
6252
6253	/**
6254	* Saves the guest control registers from the current VMCS into the guest-CPU
6255	* context.
6256	*
6257	* @returns VBox status code.
6258	* @param pVCpu The cross context virtual CPU structure.
6259	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
6260	* out-of-sync. Make sure to update the required fields
6261	* before using them.
6262	*
6263	* @remarks No-long-jump zone!!!
6264	*/
6265	static int hmR0VmxSaveGuestControlRegs(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6266	{
6267	/* Guest CR0. Guest FPU. */
6268	int rc = hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
6269	AssertRCReturn(rc, rc);
6270
6271	/* Guest CR4. */
6272	rc = hmR0VmxSaveGuestCR4(pVCpu, pMixedCtx);
6273	AssertRCReturn(rc, rc);
6274
6275	/* Guest CR2 - updated always during the world-switch or in #PF. */
6276	/* Guest CR3. Only changes with Nested Paging. This must be done -after- saving CR0 and CR4 from the guest! */
6277	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_CR3))
6278	{
6279	Assert(HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_CR0));
6280	Assert(HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_CR4));
6281
6282	PVM pVM = pVCpu->CTX_SUFF(pVM);
6283	if ( pVM->hm.s.vmx.fUnrestrictedGuest
6284	\|\| ( pVM->hm.s.fNestedPaging
6285	&& CPUMIsGuestPagingEnabledEx(pMixedCtx)))
6286	{
6287	uint64_t u64Val = 0;
6288	rc = VMXReadVmcsGstN(VMX_VMCS_GUEST_CR3, &u64Val);
6289	if (pMixedCtx->cr3 != u64Val)
6290	{
6291	CPUMSetGuestCR3(pVCpu, u64Val);
6292	if (VMMRZCallRing3IsEnabled(pVCpu))
6293	{
6294	PGMUpdateCR3(pVCpu, u64Val);
6295	Assert(!VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_UPDATE_CR3));
6296	}
6297	else
6298	{
6299	/* Set the force flag to inform PGM about it when necessary. It is cleared by PGMUpdateCR3().*/
6300	VMCPU_FF_SET(pVCpu, VMCPU_FF_HM_UPDATE_CR3);
6301	}
6302	}
6303
6304	/* If the guest is in PAE mode, sync back the PDPE's into the guest state. */
6305	if (CPUMIsGuestInPAEModeEx(pMixedCtx)) /* Reads CR0, CR4 and EFER MSR (EFER is always up-to-date). */
6306	{
6307	rc = VMXReadVmcs64(VMX_VMCS64_GUEST_PDPTE0_FULL, &pVCpu->hm.s.aPdpes[0].u);
6308	rc \|= VMXReadVmcs64(VMX_VMCS64_GUEST_PDPTE1_FULL, &pVCpu->hm.s.aPdpes[1].u);
6309	rc \|= VMXReadVmcs64(VMX_VMCS64_GUEST_PDPTE2_FULL, &pVCpu->hm.s.aPdpes[2].u);
6310	rc \|= VMXReadVmcs64(VMX_VMCS64_GUEST_PDPTE3_FULL, &pVCpu->hm.s.aPdpes[3].u);
6311	AssertRCReturn(rc, rc);
6312
6313	if (VMMRZCallRing3IsEnabled(pVCpu))
6314	{
6315	PGMGstUpdatePaePdpes(pVCpu, &pVCpu->hm.s.aPdpes[0]);
6316	Assert(!VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_UPDATE_PAE_PDPES));
6317	}
6318	else
6319	{
6320	/* Set the force flag to inform PGM about it when necessary. It is cleared by PGMGstUpdatePaePdpes(). */
6321	VMCPU_FF_SET(pVCpu, VMCPU_FF_HM_UPDATE_PAE_PDPES);
6322	}
6323	}
6324	}
6325
6326	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_CR3);
6327	}
6328
6329	/*
6330	* Consider this scenario: VM-exit -> VMMRZCallRing3Enable() -> do stuff that causes a longjmp -> hmR0VmxCallRing3Callback()
6331	* -> VMMRZCallRing3Disable() -> hmR0VmxSaveGuestState() -> Set VMCPU_FF_HM_UPDATE_CR3 pending -> return from the longjmp
6332	* -> continue with VM-exit handling -> hmR0VmxSaveGuestControlRegs() and here we are.
6333	*
6334	* The reason for such complicated handling is because VM-exits that call into PGM expect CR3 to be up-to-date and thus
6335	* if any CR3-saves -before- the VM-exit (longjmp) postponed the CR3 update via the force-flag, any VM-exit handler that
6336	* calls into PGM when it re-saves CR3 will end up here and we call PGMUpdateCR3(). This is why the code below should
6337	* -NOT- check if HMVMX_UPDATED_GUEST_CR3 is already set or not!
6338	*
6339	* The longjmp exit path can't check these CR3 force-flags and call code that takes a lock again. We cover for it here.
6340	*/
6341	if (VMMRZCallRing3IsEnabled(pVCpu))
6342	{
6343	if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_UPDATE_CR3))
6344	PGMUpdateCR3(pVCpu, CPUMGetGuestCR3(pVCpu));
6345
6346	if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_UPDATE_PAE_PDPES))
6347	PGMGstUpdatePaePdpes(pVCpu, &pVCpu->hm.s.aPdpes[0]);
6348
6349	Assert(!VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_UPDATE_CR3));
6350	Assert(!VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_UPDATE_PAE_PDPES));
6351	}
6352
6353	return rc;
6354	}
6355
6356
6357	/**
6358	* Reads a guest segment register from the current VMCS into the guest-CPU
6359	* context.
6360	*
6361	* @returns VBox status code.
6362	* @param pVCpu The cross context virtual CPU structure.
6363	* @param idxSel Index of the selector in the VMCS.
6364	* @param idxLimit Index of the segment limit in the VMCS.
6365	* @param idxBase Index of the segment base in the VMCS.
6366	* @param idxAccess Index of the access rights of the segment in the VMCS.
6367	* @param pSelReg Pointer to the segment selector.
6368	*
6369	* @remarks No-long-jump zone!!!
6370	* @remarks Never call this function directly!!! Use the VMXLOCAL_READ_SEG()
6371	* macro as that takes care of whether to read from the VMCS cache or
6372	* not.
6373	*/
6374	DECLINLINE(int) hmR0VmxReadSegmentReg(PVMCPU pVCpu, uint32_t idxSel, uint32_t idxLimit, uint32_t idxBase, uint32_t idxAccess,
6375	PCPUMSELREG pSelReg)
6376	{
6377	NOREF(pVCpu);
6378
6379	uint32_t u32Val = 0;
6380	int rc = VMXReadVmcs32(idxSel, &u32Val);
6381	AssertRCReturn(rc, rc);
6382	pSelReg->Sel = (uint16_t)u32Val;
6383	pSelReg->ValidSel = (uint16_t)u32Val;
6384	pSelReg->fFlags = CPUMSELREG_FLAGS_VALID;
6385
6386	rc = VMXReadVmcs32(idxLimit, &u32Val);
6387	AssertRCReturn(rc, rc);
6388	pSelReg->u32Limit = u32Val;
6389
6390	uint64_t u64Val = 0;
6391	rc = VMXReadVmcsGstNByIdxVal(idxBase, &u64Val);
6392	AssertRCReturn(rc, rc);
6393	pSelReg->u64Base = u64Val;
6394
6395	rc = VMXReadVmcs32(idxAccess, &u32Val);
6396	AssertRCReturn(rc, rc);
6397	pSelReg->Attr.u = u32Val;
6398
6399	/*
6400	* If VT-x marks the segment as unusable, most other bits remain undefined:
6401	* - For CS the L, D and G bits have meaning.
6402	* - For SS the DPL has meaning (it -is- the CPL for Intel and VBox).
6403	* - For the remaining data segments no bits are defined.
6404	*
6405	* The present bit and the unusable bit has been observed to be set at the
6406	* same time (the selector was supposed to be invalid as we started executing
6407	* a V8086 interrupt in ring-0).
6408	*
6409	* What should be important for the rest of the VBox code, is that the P bit is
6410	* cleared. Some of the other VBox code recognizes the unusable bit, but
6411	* AMD-V certainly don't, and REM doesn't really either. So, to be on the
6412	* safe side here, we'll strip off P and other bits we don't care about. If
6413	* any code breaks because Attr.u != 0 when Sel < 4, it should be fixed.
6414	*
6415	* See Intel spec. 27.3.2 "Saving Segment Registers and Descriptor-Table Registers".
6416	*/
6417	if (pSelReg->Attr.u & X86DESCATTR_UNUSABLE)
6418	{
6419	Assert(idxSel != VMX_VMCS16_GUEST_TR_SEL); /* TR is the only selector that can never be unusable. */
6420
6421	/* Masking off: X86DESCATTR_P, X86DESCATTR_LIMIT_HIGH, and X86DESCATTR_AVL. The latter two are really irrelevant. */
6422	pSelReg->Attr.u &= X86DESCATTR_UNUSABLE \| X86DESCATTR_L \| X86DESCATTR_D \| X86DESCATTR_G
6423	\| X86DESCATTR_DPL \| X86DESCATTR_TYPE \| X86DESCATTR_DT;
6424
6425	Log4(("hmR0VmxReadSegmentReg: Unusable idxSel=%#x attr=%#x -> %#x\n", idxSel, u32Val, pSelReg->Attr.u));
6426	#ifdef DEBUG_bird
6427	AssertMsg((u32Val & ~X86DESCATTR_P) == pSelReg->Attr.u,
6428	("%#x: %#x != %#x (sel=%#x base=%#llx limit=%#x)\n",
6429	idxSel, u32Val, pSelReg->Attr.u, pSelReg->Sel, pSelReg->u64Base, pSelReg->u32Limit));
6430	#endif
6431	}
6432	return VINF_SUCCESS;
6433	}
6434
6435
6436	#ifdef VMX_USE_CACHED_VMCS_ACCESSES
6437	# define VMXLOCAL_READ_SEG(Sel, CtxSel) \
6438	hmR0VmxReadSegmentReg(pVCpu, VMX_VMCS16_GUEST_##Sel##_SEL, VMX_VMCS32_GUEST_##Sel##_LIMIT, \
6439	VMX_VMCS_GUEST_##Sel##_BASE_CACHE_IDX, VMX_VMCS32_GUEST_##Sel##_ACCESS_RIGHTS, &pMixedCtx->CtxSel)
6440	#else
6441	# define VMXLOCAL_READ_SEG(Sel, CtxSel) \
6442	hmR0VmxReadSegmentReg(pVCpu, VMX_VMCS16_GUEST_##Sel##_SEL, VMX_VMCS32_GUEST_##Sel##_LIMIT, \
6443	VMX_VMCS_GUEST_##Sel##_BASE, VMX_VMCS32_GUEST_##Sel##_ACCESS_RIGHTS, &pMixedCtx->CtxSel)
6444	#endif
6445
6446
6447	/**
6448	* Saves the guest segment registers from the current VMCS into the guest-CPU
6449	* context.
6450	*
6451	* @returns VBox status code.
6452	* @param pVCpu The cross context virtual CPU structure.
6453	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
6454	* out-of-sync. Make sure to update the required fields
6455	* before using them.
6456	*
6457	* @remarks No-long-jump zone!!!
6458	*/
6459	static int hmR0VmxSaveGuestSegmentRegs(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6460	{
6461	/* Guest segment registers. */
6462	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_SEGMENT_REGS))
6463	{
6464	int rc = hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
6465	AssertRCReturn(rc, rc);
6466
6467	rc = VMXLOCAL_READ_SEG(CS, cs);
6468	rc \|= VMXLOCAL_READ_SEG(SS, ss);
6469	rc \|= VMXLOCAL_READ_SEG(DS, ds);
6470	rc \|= VMXLOCAL_READ_SEG(ES, es);
6471	rc \|= VMXLOCAL_READ_SEG(FS, fs);
6472	rc \|= VMXLOCAL_READ_SEG(GS, gs);
6473	AssertRCReturn(rc, rc);
6474
6475	/* Restore segment attributes for real-on-v86 mode hack. */
6476	if (pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
6477	{
6478	pMixedCtx->cs.Attr.u = pVCpu->hm.s.vmx.RealMode.AttrCS.u;
6479	pMixedCtx->ss.Attr.u = pVCpu->hm.s.vmx.RealMode.AttrSS.u;
6480	pMixedCtx->ds.Attr.u = pVCpu->hm.s.vmx.RealMode.AttrDS.u;
6481	pMixedCtx->es.Attr.u = pVCpu->hm.s.vmx.RealMode.AttrES.u;
6482	pMixedCtx->fs.Attr.u = pVCpu->hm.s.vmx.RealMode.AttrFS.u;
6483	pMixedCtx->gs.Attr.u = pVCpu->hm.s.vmx.RealMode.AttrGS.u;
6484	}
6485	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_SEGMENT_REGS);
6486	}
6487
6488	return VINF_SUCCESS;
6489	}
6490
6491
6492	/**
6493	* Saves the guest descriptor table registers and task register from the current
6494	* VMCS into the guest-CPU context.
6495	*
6496	* @returns VBox status code.
6497	* @param pVCpu The cross context virtual CPU structure.
6498	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
6499	* out-of-sync. Make sure to update the required fields
6500	* before using them.
6501	*
6502	* @remarks No-long-jump zone!!!
6503	*/
6504	static int hmR0VmxSaveGuestTableRegs(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6505	{
6506	int rc = VINF_SUCCESS;
6507
6508	/* Guest LDTR. */
6509	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_LDTR))
6510	{
6511	rc = VMXLOCAL_READ_SEG(LDTR, ldtr);
6512	AssertRCReturn(rc, rc);
6513	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_LDTR);
6514	}
6515
6516	/* Guest GDTR. */
6517	uint64_t u64Val = 0;
6518	uint32_t u32Val = 0;
6519	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_GDTR))
6520	{
6521	rc = VMXReadVmcsGstN(VMX_VMCS_GUEST_GDTR_BASE, &u64Val);
6522	rc \|= VMXReadVmcs32(VMX_VMCS32_GUEST_GDTR_LIMIT, &u32Val); AssertRCReturn(rc, rc);
6523	pMixedCtx->gdtr.pGdt = u64Val;
6524	pMixedCtx->gdtr.cbGdt = u32Val;
6525	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_GDTR);
6526	}
6527
6528	/* Guest IDTR. */
6529	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_IDTR))
6530	{
6531	rc = VMXReadVmcsGstN(VMX_VMCS_GUEST_IDTR_BASE, &u64Val);
6532	rc \|= VMXReadVmcs32(VMX_VMCS32_GUEST_IDTR_LIMIT, &u32Val); AssertRCReturn(rc, rc);
6533	pMixedCtx->idtr.pIdt = u64Val;
6534	pMixedCtx->idtr.cbIdt = u32Val;
6535	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_IDTR);
6536	}
6537
6538	/* Guest TR. */
6539	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_TR))
6540	{
6541	rc = hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
6542	AssertRCReturn(rc, rc);
6543
6544	/* For real-mode emulation using virtual-8086 mode we have the fake TSS (pRealModeTSS) in TR, don't save the fake one. */
6545	if (!pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
6546	{
6547	rc = VMXLOCAL_READ_SEG(TR, tr);
6548	AssertRCReturn(rc, rc);
6549	}
6550	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_TR);
6551	}
6552	return rc;
6553	}
6554
6555	#undef VMXLOCAL_READ_SEG
6556
6557
6558	/**
6559	* Saves the guest debug-register DR7 from the current VMCS into the guest-CPU
6560	* context.
6561	*
6562	* @returns VBox status code.
6563	* @param pVCpu The cross context virtual CPU structure.
6564	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
6565	* out-of-sync. Make sure to update the required fields
6566	* before using them.
6567	*
6568	* @remarks No-long-jump zone!!!
6569	*/
6570	static int hmR0VmxSaveGuestDR7(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6571	{
6572	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_DEBUG))
6573	{
6574	if (!pVCpu->hm.s.fUsingHyperDR7)
6575	{
6576	/* Upper 32-bits are always zero. See Intel spec. 2.7.3 "Loading and Storing Debug Registers". */
6577	uint32_t u32Val;
6578	int rc = VMXReadVmcs32(VMX_VMCS_GUEST_DR7, &u32Val); AssertRCReturn(rc, rc);
6579	pMixedCtx->dr[7] = u32Val;
6580	}
6581
6582	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_DEBUG);
6583	}
6584	return VINF_SUCCESS;
6585	}
6586
6587
6588	/**
6589	* Saves the guest APIC state from the current VMCS into the guest-CPU context.
6590	*
6591	* @returns VBox status code.
6592	* @param pVCpu The cross context virtual CPU structure.
6593	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
6594	* out-of-sync. Make sure to update the required fields
6595	* before using them.
6596	*
6597	* @remarks No-long-jump zone!!!
6598	*/
6599	static int hmR0VmxSaveGuestApicState(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6600	{
6601	NOREF(pMixedCtx);
6602
6603	/* Updating TPR is already done in hmR0VmxPostRunGuest(). Just update the flag. */
6604	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_APIC_STATE);
6605	return VINF_SUCCESS;
6606	}
6607
6608
6609	/**
6610	* Saves the entire guest state from the currently active VMCS into the
6611	* guest-CPU context.
6612	*
6613	* This essentially VMREADs all guest-data.
6614	*
6615	* @returns VBox status code.
6616	* @param pVCpu The cross context virtual CPU structure.
6617	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
6618	* out-of-sync. Make sure to update the required fields
6619	* before using them.
6620	*/
6621	static int hmR0VmxSaveGuestState(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6622	{
6623	Assert(pVCpu);
6624	Assert(pMixedCtx);
6625
6626	if (HMVMXCPU_GST_VALUE(pVCpu) == HMVMX_UPDATED_GUEST_ALL)
6627	return VINF_SUCCESS;
6628
6629	/* Though we can longjmp to ring-3 due to log-flushes here and get recalled
6630	again on the ring-3 callback path, there is no real need to. */
6631	if (VMMRZCallRing3IsEnabled(pVCpu))
6632	VMMR0LogFlushDisable(pVCpu);
6633	else
6634	Assert(VMMR0IsLogFlushDisabled(pVCpu));
6635	Log4Func(("vcpu[%RU32]\n", pVCpu->idCpu));
6636
6637	int rc = hmR0VmxSaveGuestRipRspRflags(pVCpu, pMixedCtx);
6638	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveGuestRipRspRflags failed! rc=%Rrc (pVCpu=%p)\n", rc, pVCpu), rc);
6639
6640	rc = hmR0VmxSaveGuestControlRegs(pVCpu, pMixedCtx);
6641	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveGuestControlRegs failed! rc=%Rrc (pVCpu=%p)\n", rc, pVCpu), rc);
6642
6643	rc = hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
6644	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveGuestSegmentRegs failed! rc=%Rrc (pVCpu=%p)\n", rc, pVCpu), rc);
6645
6646	rc = hmR0VmxSaveGuestTableRegs(pVCpu, pMixedCtx);
6647	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveGuestTableRegs failed! rc=%Rrc (pVCpu=%p)\n", rc, pVCpu), rc);
6648
6649	rc = hmR0VmxSaveGuestDR7(pVCpu, pMixedCtx);
6650	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveGuestDR7 failed! rc=%Rrc (pVCpu=%p)\n", rc, pVCpu), rc);
6651
6652	rc = hmR0VmxSaveGuestSysenterMsrs(pVCpu, pMixedCtx);
6653	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveGuestSysenterMsrs failed! rc=%Rrc (pVCpu=%p)\n", rc, pVCpu), rc);
6654
6655	rc = hmR0VmxSaveGuestLazyMsrs(pVCpu, pMixedCtx);
6656	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveGuestLazyMsrs failed! rc=%Rrc (pVCpu=%p)\n", rc, pVCpu), rc);
6657
6658	rc = hmR0VmxSaveGuestAutoLoadStoreMsrs(pVCpu, pMixedCtx);
6659	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveGuestAutoLoadStoreMsrs failed! rc=%Rrc (pVCpu=%p)\n", rc, pVCpu), rc);
6660
6661	rc = hmR0VmxSaveGuestActivityState(pVCpu, pMixedCtx);
6662	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveGuestActivityState failed! rc=%Rrc (pVCpu=%p)\n", rc, pVCpu), rc);
6663
6664	rc = hmR0VmxSaveGuestApicState(pVCpu, pMixedCtx);
6665	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveGuestApicState failed! rc=%Rrc (pVCpu=%p)\n", rc, pVCpu), rc);
6666
6667	AssertMsg(HMVMXCPU_GST_VALUE(pVCpu) == HMVMX_UPDATED_GUEST_ALL,
6668	("Missed guest state bits while saving state; missing %RX32 (got %RX32, want %RX32) - check log for any previous errors!\n",
6669	HMVMX_UPDATED_GUEST_ALL ^ HMVMXCPU_GST_VALUE(pVCpu), HMVMXCPU_GST_VALUE(pVCpu), HMVMX_UPDATED_GUEST_ALL));
6670
6671	if (VMMRZCallRing3IsEnabled(pVCpu))
6672	VMMR0LogFlushEnable(pVCpu);
6673
6674	return VINF_SUCCESS;
6675	}
6676
6677
6678	/**
6679	* Saves basic guest registers needed for IEM instruction execution.
6680	*
6681	* @returns VBox status code (OR-able).
6682	* @param pVCpu The cross context virtual CPU structure of the calling EMT.
6683	* @param pMixedCtx Pointer to the CPU context of the guest.
6684	* @param fMemory Whether the instruction being executed operates on
6685	* memory or not. Only CR0 is synced up if clear.
6686	* @param fNeedRsp Need RSP (any instruction working on GPRs or stack).
6687	*/
6688	static int hmR0VmxSaveGuestRegsForIemExec(PVMCPU pVCpu, PCPUMCTX pMixedCtx, bool fMemory, bool fNeedRsp)
6689	{
6690	/*
6691	* We assume all general purpose registers other than RSP are available.
6692	*
6693	* RIP is a must, as it will be incremented or otherwise changed.
6694	*
6695	* RFLAGS are always required to figure the CPL.
6696	*
6697	* RSP isn't always required, however it's a GPR, so frequently required.
6698	*
6699	* SS and CS are the only segment register needed if IEM doesn't do memory
6700	* access (CPL + 16/32/64-bit mode), but we can only get all segment registers.
6701	*
6702	* CR0 is always required by IEM for the CPL, while CR3 and CR4 will only
6703	* be required for memory accesses.
6704	*
6705	* Note! Before IEM dispatches an exception, it will call us to sync in everything.
6706	*/
6707	int rc = hmR0VmxSaveGuestRip(pVCpu, pMixedCtx);
6708	rc \|= hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx);
6709	if (fNeedRsp)
6710	rc \|= hmR0VmxSaveGuestRsp(pVCpu, pMixedCtx);
6711	rc \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
6712	if (!fMemory)
6713	rc \|= hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
6714	else
6715	rc \|= hmR0VmxSaveGuestControlRegs(pVCpu, pMixedCtx);
6716	AssertRCReturn(rc, rc);
6717	return rc;
6718	}
6719
6720
6721	/**
6722	* Ensures that we've got a complete basic guest-context.
6723	*
6724	* This excludes the FPU, SSE, AVX, and similar extended state. The interface
6725	* is for the interpreter.
6726	*
6727	* @returns VBox status code.
6728	* @param pVCpu The cross context virtual CPU structure of the calling EMT.
6729	* @param pMixedCtx Pointer to the guest-CPU context which may have data
6730	* needing to be synced in.
6731	* @thread EMT(pVCpu)
6732	*/
6733	VMMR0_INT_DECL(int) HMR0EnsureCompleteBasicContext(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6734	{
6735	/* Note! Since this is only applicable to VT-x, the implementation is placed
6736	in the VT-x part of the sources instead of the generic stuff. */
6737	if (pVCpu->CTX_SUFF(pVM)->hm.s.vmx.fSupported)
6738	{
6739	/* For now, imply that the caller might change everything too. */
6740	HMCPU_CF_SET(pVCpu, HM_CHANGED_ALL_GUEST);
6741	return hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
6742	}
6743	return VINF_SUCCESS;
6744	}
6745
6746
6747	/**
6748	* Check per-VM and per-VCPU force flag actions that require us to go back to
6749	* ring-3 for one reason or another.
6750	*
6751	* @returns Strict VBox status code (i.e. informational status codes too)
6752	* @retval VINF_SUCCESS if we don't have any actions that require going back to
6753	* ring-3.
6754	* @retval VINF_PGM_SYNC_CR3 if we have pending PGM CR3 sync.
6755	* @retval VINF_EM_PENDING_REQUEST if we have pending requests (like hardware
6756	* interrupts)
6757	* @retval VINF_PGM_POOL_FLUSH_PENDING if PGM is doing a pool flush and requires
6758	* all EMTs to be in ring-3.
6759	* @retval VINF_EM_RAW_TO_R3 if there is pending DMA requests.
6760	* @retval VINF_EM_NO_MEMORY PGM is out of memory, we need to return
6761	* to the EM loop.
6762	*
6763	* @param pVM The cross context VM structure.
6764	* @param pVCpu The cross context virtual CPU structure.
6765	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
6766	* out-of-sync. Make sure to update the required fields
6767	* before using them.
6768	* @param fStepping Running in hmR0VmxRunGuestCodeStep().
6769	*/
6770	static VBOXSTRICTRC hmR0VmxCheckForceFlags(PVM pVM, PVMCPU pVCpu, PCPUMCTX pMixedCtx, bool fStepping)
6771	{
6772	Assert(VMMRZCallRing3IsEnabled(pVCpu));
6773
6774	/*
6775	* Anything pending? Should be more likely than not if we're doing a good job.
6776	*/
6777	if ( !fStepping
6778	? !VM_FF_IS_PENDING(pVM, VM_FF_HP_R0_PRE_HM_MASK)
6779	&& !VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HP_R0_PRE_HM_MASK)
6780	: !VM_FF_IS_PENDING(pVM, VM_FF_HP_R0_PRE_HM_STEP_MASK)
6781	&& !VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HP_R0_PRE_HM_STEP_MASK) )
6782	return VINF_SUCCESS;
6783
6784	/* We need the control registers now, make sure the guest-CPU context is updated. */
6785	int rc3 = hmR0VmxSaveGuestControlRegs(pVCpu, pMixedCtx);
6786	AssertRCReturn(rc3, rc3);
6787
6788	/* Pending HM CR3 sync. */
6789	if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_UPDATE_CR3))
6790	{
6791	int rc2 = PGMUpdateCR3(pVCpu, pMixedCtx->cr3);
6792	AssertMsgReturn(rc2 == VINF_SUCCESS \|\| rc2 == VINF_PGM_SYNC_CR3,
6793	("%Rrc\n", rc2), RT_FAILURE_NP(rc2) ? rc2 : VERR_IPE_UNEXPECTED_INFO_STATUS);
6794	Assert(!VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_UPDATE_CR3));
6795	}
6796
6797	/* Pending HM PAE PDPEs. */
6798	if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_UPDATE_PAE_PDPES))
6799	{
6800	PGMGstUpdatePaePdpes(pVCpu, &pVCpu->hm.s.aPdpes[0]);
6801	Assert(!VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_UPDATE_PAE_PDPES));
6802	}
6803
6804	/* Pending PGM C3 sync. */
6805	if (VMCPU_FF_IS_PENDING(pVCpu,VMCPU_FF_PGM_SYNC_CR3 \| VMCPU_FF_PGM_SYNC_CR3_NON_GLOBAL))
6806	{
6807	VBOXSTRICTRC rcStrict2 = PGMSyncCR3(pVCpu, pMixedCtx->cr0, pMixedCtx->cr3, pMixedCtx->cr4,
6808	VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_PGM_SYNC_CR3));
6809	if (rcStrict2 != VINF_SUCCESS)
6810	{
6811	AssertRC(VBOXSTRICTRC_VAL(rcStrict2));
6812	Log4(("hmR0VmxCheckForceFlags: PGMSyncCR3 forcing us back to ring-3. rc2=%d\n", VBOXSTRICTRC_VAL(rcStrict2)));
6813	return rcStrict2;
6814	}
6815	}
6816
6817	/* Pending HM-to-R3 operations (critsects, timers, EMT rendezvous etc.) */
6818	if ( VM_FF_IS_PENDING(pVM, VM_FF_HM_TO_R3_MASK)
6819	\|\| VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_TO_R3_MASK))
6820	{
6821	STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchHmToR3FF);
6822	int rc2 = RT_UNLIKELY(VM_FF_IS_PENDING(pVM, VM_FF_PGM_NO_MEMORY)) ? VINF_EM_NO_MEMORY : VINF_EM_RAW_TO_R3;
6823	Log4(("hmR0VmxCheckForceFlags: HM_TO_R3 forcing us back to ring-3. rc=%d\n", rc2));
6824	return rc2;
6825	}
6826
6827	/* Pending VM request packets, such as hardware interrupts. */
6828	if ( VM_FF_IS_PENDING(pVM, VM_FF_REQUEST)
6829	\|\| VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_REQUEST))
6830	{
6831	Log4(("hmR0VmxCheckForceFlags: Pending VM request forcing us back to ring-3\n"));
6832	return VINF_EM_PENDING_REQUEST;
6833	}
6834
6835	/* Pending PGM pool flushes. */
6836	if (VM_FF_IS_PENDING(pVM, VM_FF_PGM_POOL_FLUSH_PENDING))
6837	{
6838	Log4(("hmR0VmxCheckForceFlags: PGM pool flush pending forcing us back to ring-3\n"));
6839	return VINF_PGM_POOL_FLUSH_PENDING;
6840	}
6841
6842	/* Pending DMA requests. */
6843	if (VM_FF_IS_PENDING(pVM, VM_FF_PDM_DMA))
6844	{
6845	Log4(("hmR0VmxCheckForceFlags: Pending DMA request forcing us back to ring-3\n"));
6846	return VINF_EM_RAW_TO_R3;
6847	}
6848
6849	return VINF_SUCCESS;
6850	}
6851
6852
6853	/**
6854	* Converts any TRPM trap into a pending HM event. This is typically used when
6855	* entering from ring-3 (not longjmp returns).
6856	*
6857	* @param pVCpu The cross context virtual CPU structure.
6858	*/
6859	static void hmR0VmxTrpmTrapToPendingEvent(PVMCPU pVCpu)
6860	{
6861	Assert(TRPMHasTrap(pVCpu));
6862	Assert(!pVCpu->hm.s.Event.fPending);
6863
6864	uint8_t uVector;
6865	TRPMEVENT enmTrpmEvent;
6866	RTGCUINT uErrCode;
6867	RTGCUINTPTR GCPtrFaultAddress;
6868	uint8_t cbInstr;
6869
6870	int rc = TRPMQueryTrapAll(pVCpu, &uVector, &enmTrpmEvent, &uErrCode, &GCPtrFaultAddress, &cbInstr);
6871	AssertRC(rc);
6872
6873	/* Refer Intel spec. 24.8.3 "VM-entry Controls for Event Injection" for the format of u32IntInfo. */
6874	uint32_t u32IntInfo = uVector \| VMX_EXIT_INTERRUPTION_INFO_VALID;
6875	if (enmTrpmEvent == TRPM_TRAP)
6876	{
6877	switch (uVector)
6878	{
6879	case X86_XCPT_NMI:
6880	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_NMI << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
6881	break;
6882
6883	case X86_XCPT_BP:
6884	case X86_XCPT_OF:
6885	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_SW_XCPT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
6886	break;
6887
6888	case X86_XCPT_PF:
6889	case X86_XCPT_DF:
6890	case X86_XCPT_TS:
6891	case X86_XCPT_NP:
6892	case X86_XCPT_SS:
6893	case X86_XCPT_GP:
6894	case X86_XCPT_AC:
6895	u32IntInfo \|= VMX_EXIT_INTERRUPTION_INFO_ERROR_CODE_VALID;
6896	/* no break! */
6897	default:
6898	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_HW_XCPT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
6899	break;
6900	}
6901	}
6902	else if (enmTrpmEvent == TRPM_HARDWARE_INT)
6903	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_EXT_INT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
6904	else if (enmTrpmEvent == TRPM_SOFTWARE_INT)
6905	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_SW_INT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
6906	else
6907	AssertMsgFailed(("Invalid TRPM event type %d\n", enmTrpmEvent));
6908
6909	rc = TRPMResetTrap(pVCpu);
6910	AssertRC(rc);
6911	Log4(("TRPM->HM event: u32IntInfo=%#RX32 enmTrpmEvent=%d cbInstr=%u uErrCode=%#RX32 GCPtrFaultAddress=%#RGv\n",
6912	u32IntInfo, enmTrpmEvent, cbInstr, uErrCode, GCPtrFaultAddress));
6913
6914	hmR0VmxSetPendingEvent(pVCpu, u32IntInfo, cbInstr, uErrCode, GCPtrFaultAddress);
6915	}
6916
6917
6918	/**
6919	* Converts the pending HM event into a TRPM trap.
6920	*
6921	* @param pVCpu The cross context virtual CPU structure.
6922	*/
6923	static void hmR0VmxPendingEventToTrpmTrap(PVMCPU pVCpu)
6924	{
6925	Assert(pVCpu->hm.s.Event.fPending);
6926
6927	uint32_t uVectorType = VMX_IDT_VECTORING_INFO_TYPE(pVCpu->hm.s.Event.u64IntInfo);
6928	uint32_t uVector = VMX_IDT_VECTORING_INFO_VECTOR(pVCpu->hm.s.Event.u64IntInfo);
6929	bool fErrorCodeValid = VMX_IDT_VECTORING_INFO_ERROR_CODE_IS_VALID(pVCpu->hm.s.Event.u64IntInfo);
6930	uint32_t uErrorCode = pVCpu->hm.s.Event.u32ErrCode;
6931
6932	/* If a trap was already pending, we did something wrong! */
6933	Assert(TRPMQueryTrap(pVCpu, NULL /* pu8TrapNo /, NULL / pEnmType */) == VERR_TRPM_NO_ACTIVE_TRAP);
6934
6935	TRPMEVENT enmTrapType;
6936	switch (uVectorType)
6937	{
6938	case VMX_IDT_VECTORING_INFO_TYPE_EXT_INT:
6939	enmTrapType = TRPM_HARDWARE_INT;
6940	break;
6941
6942	case VMX_IDT_VECTORING_INFO_TYPE_SW_INT:
6943	enmTrapType = TRPM_SOFTWARE_INT;
6944	break;
6945
6946	case VMX_IDT_VECTORING_INFO_TYPE_NMI:
6947	case VMX_IDT_VECTORING_INFO_TYPE_PRIV_SW_XCPT:
6948	case VMX_IDT_VECTORING_INFO_TYPE_SW_XCPT: /* #BP and #OF */
6949	case VMX_IDT_VECTORING_INFO_TYPE_HW_XCPT:
6950	enmTrapType = TRPM_TRAP;
6951	break;
6952
6953	default:
6954	AssertMsgFailed(("Invalid trap type %#x\n", uVectorType));
6955	enmTrapType = TRPM_32BIT_HACK;
6956	break;
6957	}
6958
6959	Log4(("HM event->TRPM: uVector=%#x enmTrapType=%d\n", uVector, enmTrapType));
6960
6961	int rc = TRPMAssertTrap(pVCpu, uVector, enmTrapType);
6962	AssertRC(rc);
6963
6964	if (fErrorCodeValid)
6965	TRPMSetErrorCode(pVCpu, uErrorCode);
6966
6967	if ( uVectorType == VMX_IDT_VECTORING_INFO_TYPE_HW_XCPT
6968	&& uVector == X86_XCPT_PF)
6969	{
6970	TRPMSetFaultAddress(pVCpu, pVCpu->hm.s.Event.GCPtrFaultAddress);
6971	}
6972	else if ( uVectorType == VMX_IDT_VECTORING_INFO_TYPE_SW_INT
6973	\|\| uVectorType == VMX_IDT_VECTORING_INFO_TYPE_SW_XCPT
6974	\|\| uVectorType == VMX_IDT_VECTORING_INFO_TYPE_PRIV_SW_XCPT)
6975	{
6976	AssertMsg( uVectorType == VMX_IDT_VECTORING_INFO_TYPE_SW_INT
6977	\|\| (uVector == X86_XCPT_BP \|\| uVector == X86_XCPT_OF),
6978	("Invalid vector: uVector=%#x uVectorType=%#x\n", uVector, uVectorType));
6979	TRPMSetInstrLength(pVCpu, pVCpu->hm.s.Event.cbInstr);
6980	}
6981
6982	/* Clear any pending events from the VMCS. */
6983	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_ENTRY_INTERRUPTION_INFO, 0); AssertRC(rc);
6984	rc = VMXWriteVmcs32(VMX_VMCS_GUEST_PENDING_DEBUG_EXCEPTIONS, 0); AssertRC(rc);
6985
6986	/* We're now done converting the pending event. */
6987	pVCpu->hm.s.Event.fPending = false;
6988	}
6989
6990
6991	/**
6992	* Does the necessary state syncing before returning to ring-3 for any reason
6993	* (longjmp, preemption, voluntary exits to ring-3) from VT-x.
6994	*
6995	* @returns VBox status code.
6996	* @param pVM The cross context VM structure.
6997	* @param pVCpu The cross context virtual CPU structure.
6998	* @param pMixedCtx Pointer to the guest-CPU context. The data may
6999	* be out-of-sync. Make sure to update the required
7000	* fields before using them.
7001	* @param fSaveGuestState Whether to save the guest state or not.
7002	*
7003	* @remarks No-long-jmp zone!!!
7004	*/
7005	static int hmR0VmxLeave(PVM pVM, PVMCPU pVCpu, PCPUMCTX pMixedCtx, bool fSaveGuestState)
7006	{
7007	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
7008	Assert(!VMMRZCallRing3IsEnabled(pVCpu));
7009
7010	RTCPUID idCpu = RTMpCpuId();
7011	Log4Func(("HostCpuId=%u\n", idCpu));
7012
7013	/*
7014	* !!! IMPORTANT !!!
7015	* If you modify code here, check whether hmR0VmxCallRing3Callback() needs to be updated too.
7016	*/
7017
7018	/* Save the guest state if necessary. */
7019	if ( fSaveGuestState
7020	&& HMVMXCPU_GST_VALUE(pVCpu) != HMVMX_UPDATED_GUEST_ALL)
7021	{
7022	int rc = hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
7023	AssertRCReturn(rc, rc);
7024	Assert(HMVMXCPU_GST_VALUE(pVCpu) == HMVMX_UPDATED_GUEST_ALL);
7025	}
7026
7027	/* Restore host FPU state if necessary and resync on next R0 reentry .*/
7028	if (CPUMR0FpuStateMaybeSaveGuestAndRestoreHost(pVCpu))
7029	{
7030	if (fSaveGuestState)
7031	{
7032	/* We shouldn't reload CR0 without saving it first. */
7033	int rc = hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
7034	AssertRCReturn(rc, rc);
7035	}
7036	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_CR0);
7037	}
7038
7039	/* Restore host debug registers if necessary and resync on next R0 reentry. */
7040	#ifdef VBOX_STRICT
7041	if (CPUMIsHyperDebugStateActive(pVCpu))
7042	Assert(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_MOV_DR_EXIT);
7043	#endif
7044	if (CPUMR0DebugStateMaybeSaveGuestAndRestoreHost(pVCpu, true /* save DR6 */))
7045	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_DEBUG);
7046	Assert(!CPUMIsGuestDebugStateActive(pVCpu) && !CPUMIsGuestDebugStateActivePending(pVCpu));
7047	Assert(!CPUMIsHyperDebugStateActive(pVCpu) && !CPUMIsHyperDebugStateActivePending(pVCpu));
7048
7049	#if HC_ARCH_BITS == 64
7050	/* Restore host-state bits that VT-x only restores partially. */
7051	if ( (pVCpu->hm.s.vmx.fRestoreHostFlags & VMX_RESTORE_HOST_REQUIRED)
7052	&& (pVCpu->hm.s.vmx.fRestoreHostFlags & ~VMX_RESTORE_HOST_REQUIRED))
7053	{
7054	Log4Func(("Restoring Host State: fRestoreHostFlags=%#RX32 HostCpuId=%u\n", pVCpu->hm.s.vmx.fRestoreHostFlags, idCpu));
7055	VMXRestoreHostState(pVCpu->hm.s.vmx.fRestoreHostFlags, &pVCpu->hm.s.vmx.RestoreHost);
7056	}
7057	pVCpu->hm.s.vmx.fRestoreHostFlags = 0;
7058	#endif
7059
7060	/* Restore the lazy host MSRs as we're leaving VT-x context. */
7061	if (pVCpu->hm.s.vmx.fLazyMsrs)
7062	{
7063	/* We shouldn't reload the guest MSRs without saving it first. */
7064	if (!fSaveGuestState)
7065	{
7066	int rc = hmR0VmxSaveGuestLazyMsrs(pVCpu, pMixedCtx);
7067	AssertRCReturn(rc, rc);
7068	}
7069	Assert(HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_LAZY_MSRS));
7070	hmR0VmxLazyRestoreHostMsrs(pVCpu);
7071	Assert(!pVCpu->hm.s.vmx.fLazyMsrs);
7072	}
7073
7074	/* Update auto-load/store host MSRs values when we re-enter VT-x (as we could be on a different CPU). */
7075	pVCpu->hm.s.vmx.fUpdatedHostMsrs = false;
7076
7077	STAM_PROFILE_ADV_SET_STOPPED(&pVCpu->hm.s.StatEntry);
7078	STAM_PROFILE_ADV_SET_STOPPED(&pVCpu->hm.s.StatLoadGuestState);
7079	STAM_PROFILE_ADV_SET_STOPPED(&pVCpu->hm.s.StatExit1);
7080	STAM_PROFILE_ADV_SET_STOPPED(&pVCpu->hm.s.StatExit2);
7081	STAM_PROFILE_ADV_SET_STOPPED(&pVCpu->hm.s.StatExitIO);
7082	STAM_PROFILE_ADV_SET_STOPPED(&pVCpu->hm.s.StatExitMovCRx);
7083	STAM_PROFILE_ADV_SET_STOPPED(&pVCpu->hm.s.StatExitXcptNmi);
7084	STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchLongJmpToR3);
7085
7086	VMCPU_CMPXCHG_STATE(pVCpu, VMCPUSTATE_STARTED_HM, VMCPUSTATE_STARTED_EXEC);
7087
7088	/** @todo This partially defeats the purpose of having preemption hooks.
7089	* The problem is, deregistering the hooks should be moved to a place that
7090	* lasts until the EMT is about to be destroyed not everytime while leaving HM
7091	* context.
7092	*/
7093	if (pVCpu->hm.s.vmx.uVmcsState & HMVMX_VMCS_STATE_ACTIVE)
7094	{
7095	int rc = VMXClearVmcs(pVCpu->hm.s.vmx.HCPhysVmcs);
7096	AssertRCReturn(rc, rc);
7097
7098	pVCpu->hm.s.vmx.uVmcsState = HMVMX_VMCS_STATE_CLEAR;
7099	Log4Func(("Cleared Vmcs. HostCpuId=%u\n", idCpu));
7100	}
7101	Assert(!(pVCpu->hm.s.vmx.uVmcsState & HMVMX_VMCS_STATE_LAUNCHED));
7102	NOREF(idCpu);
7103
7104	return VINF_SUCCESS;
7105	}
7106
7107
7108	/**
7109	* Leaves the VT-x session.
7110	*
7111	* @returns VBox status code.
7112	* @param pVM The cross context VM structure.
7113	* @param pVCpu The cross context virtual CPU structure.
7114	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
7115	* out-of-sync. Make sure to update the required fields
7116	* before using them.
7117	*
7118	* @remarks No-long-jmp zone!!!
7119	*/
7120	DECLINLINE(int) hmR0VmxLeaveSession(PVM pVM, PVMCPU pVCpu, PCPUMCTX pMixedCtx)
7121	{
7122	HM_DISABLE_PREEMPT();
7123	HMVMX_ASSERT_CPU_SAFE();
7124	Assert(!VMMRZCallRing3IsEnabled(pVCpu));
7125	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
7126
7127	/* When thread-context hooks are used, we can avoid doing the leave again if we had been preempted before
7128	and done this from the VMXR0ThreadCtxCallback(). */
7129	if (!pVCpu->hm.s.fLeaveDone)
7130	{
7131	int rc2 = hmR0VmxLeave(pVM, pVCpu, pMixedCtx, true /* fSaveGuestState */);
7132	AssertRCReturnStmt(rc2, HM_RESTORE_PREEMPT(), rc2);
7133	pVCpu->hm.s.fLeaveDone = true;
7134	}
7135	Assert(HMVMXCPU_GST_VALUE(pVCpu) == HMVMX_UPDATED_GUEST_ALL);
7136
7137	/*
7138	* !!! IMPORTANT !!!
7139	* If you modify code here, make sure to check whether hmR0VmxCallRing3Callback() needs to be updated too.
7140	*/
7141
7142	/* Deregister hook now that we've left HM context before re-enabling preemption. */
7143	/** @todo Deregistering here means we need to VMCLEAR always
7144	* (longjmp/exit-to-r3) in VT-x which is not efficient. */
7145	/** @todo eliminate the need for calling VMMR0ThreadCtxHookDisable here! */
7146	VMMR0ThreadCtxHookDisable(pVCpu);
7147
7148	/* Leave HM context. This takes care of local init (term). */
7149	int rc = HMR0LeaveCpu(pVCpu);
7150
7151	HM_RESTORE_PREEMPT();
7152	return rc;
7153	}
7154
7155
7156	/**
7157	* Does the necessary state syncing before doing a longjmp to ring-3.
7158	*
7159	* @returns VBox status code.
7160	* @param pVM The cross context VM structure.
7161	* @param pVCpu The cross context virtual CPU structure.
7162	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
7163	* out-of-sync. Make sure to update the required fields
7164	* before using them.
7165	*
7166	* @remarks No-long-jmp zone!!!
7167	*/
7168	DECLINLINE(int) hmR0VmxLongJmpToRing3(PVM pVM, PVMCPU pVCpu, PCPUMCTX pMixedCtx)
7169	{
7170	return hmR0VmxLeaveSession(pVM, pVCpu, pMixedCtx);
7171	}
7172
7173
7174	/**
7175	* Take necessary actions before going back to ring-3.
7176	*
7177	* An action requires us to go back to ring-3. This function does the necessary
7178	* steps before we can safely return to ring-3. This is not the same as longjmps
7179	* to ring-3, this is voluntary and prepares the guest so it may continue
7180	* executing outside HM (recompiler/IEM).
7181	*
7182	* @returns VBox status code.
7183	* @param pVM The cross context VM structure.
7184	* @param pVCpu The cross context virtual CPU structure.
7185	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
7186	* out-of-sync. Make sure to update the required fields
7187	* before using them.
7188	* @param rcExit The reason for exiting to ring-3. Can be
7189	* VINF_VMM_UNKNOWN_RING3_CALL.
7190	*/
7191	static int hmR0VmxExitToRing3(PVM pVM, PVMCPU pVCpu, PCPUMCTX pMixedCtx, VBOXSTRICTRC rcExit)
7192	{
7193	Assert(pVM);
7194	Assert(pVCpu);
7195	Assert(pMixedCtx);
7196	HMVMX_ASSERT_PREEMPT_SAFE();
7197
7198	if (RT_UNLIKELY(rcExit == VERR_VMX_INVALID_VMCS_PTR))
7199	{
7200	VMXGetActivatedVmcs(&pVCpu->hm.s.vmx.LastError.u64VMCSPhys);
7201	pVCpu->hm.s.vmx.LastError.u32VMCSRevision = (uint32_t )pVCpu->hm.s.vmx.pvVmcs;
7202	pVCpu->hm.s.vmx.LastError.idEnteredCpu = pVCpu->hm.s.idEnteredCpu;
7203	/* LastError.idCurrentCpu was updated in hmR0VmxPreRunGuestCommitted(). */
7204	}
7205
7206	/* Please, no longjumps here (any logging shouldn't flush jump back to ring-3). NO LOGGING BEFORE THIS POINT! */
7207	VMMRZCallRing3Disable(pVCpu);
7208	Log4(("hmR0VmxExitToRing3: pVCpu=%p idCpu=%RU32 rcExit=%d\n", pVCpu, pVCpu->idCpu, VBOXSTRICTRC_VAL(rcExit)));
7209
7210	/* We need to do this only while truly exiting the "inner loop" back to ring-3 and -not- for any longjmp to ring3. */
7211	if (pVCpu->hm.s.Event.fPending)
7212	{
7213	hmR0VmxPendingEventToTrpmTrap(pVCpu);
7214	Assert(!pVCpu->hm.s.Event.fPending);
7215	}
7216
7217	/* Clear interrupt-window and NMI-window controls as we re-evaluate it when we return from ring-3. */
7218	hmR0VmxClearIntNmiWindowsVmcs(pVCpu);
7219
7220	/* If we're emulating an instruction, we shouldn't have any TRPM traps pending
7221	and if we're injecting an event we should have a TRPM trap pending. */
7222	AssertMsg(rcExit != VINF_EM_RAW_INJECT_TRPM_EVENT \|\| TRPMHasTrap(pVCpu), ("%Rrc\n", VBOXSTRICTRC_VAL(rcExit)));
7223	#ifndef DEBUG_bird /* Triggered after firing an NMI against NT4SP1, possibly a tripple fault in progress. */
7224	AssertMsg(rcExit != VINF_EM_RAW_EMULATE_INSTR \|\| !TRPMHasTrap(pVCpu), ("%Rrc\n", VBOXSTRICTRC_VAL(rcExit)));
7225	#endif
7226
7227	/* Save guest state and restore host state bits. */
7228	int rc = hmR0VmxLeaveSession(pVM, pVCpu, pMixedCtx);
7229	AssertRCReturn(rc, rc);
7230	STAM_COUNTER_DEC(&pVCpu->hm.s.StatSwitchLongJmpToR3);
7231	/* Thread-context hooks are unregistered at this point!!! */
7232
7233	/* Sync recompiler state. */
7234	VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_TO_R3);
7235	CPUMSetChangedFlags(pVCpu, CPUM_CHANGED_SYSENTER_MSR
7236	\| CPUM_CHANGED_LDTR
7237	\| CPUM_CHANGED_GDTR
7238	\| CPUM_CHANGED_IDTR
7239	\| CPUM_CHANGED_TR
7240	\| CPUM_CHANGED_HIDDEN_SEL_REGS);
7241	Assert(HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_CR0));
7242	if ( pVM->hm.s.fNestedPaging
7243	&& CPUMIsGuestPagingEnabledEx(pMixedCtx))
7244	{
7245	CPUMSetChangedFlags(pVCpu, CPUM_CHANGED_GLOBAL_TLB_FLUSH);
7246	}
7247
7248	Assert(!pVCpu->hm.s.fClearTrapFlag);
7249
7250	/* On our way back from ring-3 reload the guest state if there is a possibility of it being changed. */
7251	if (rcExit != VINF_EM_RAW_INTERRUPT)
7252	HMCPU_CF_SET(pVCpu, HM_CHANGED_ALL_GUEST);
7253
7254	STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchExitToR3);
7255
7256	/* We do -not- want any longjmp notifications after this! We must return to ring-3 ASAP. */
7257	VMMRZCallRing3RemoveNotification(pVCpu);
7258	VMMRZCallRing3Enable(pVCpu);
7259
7260	return rc;
7261	}
7262
7263
7264	/**
7265	* VMMRZCallRing3() callback wrapper which saves the guest state before we
7266	* longjump to ring-3 and possibly get preempted.
7267	*
7268	* @returns VBox status code.
7269	* @param pVCpu The cross context virtual CPU structure.
7270	* @param enmOperation The operation causing the ring-3 longjump.
7271	* @param pvUser Opaque pointer to the guest-CPU context. The data
7272	* may be out-of-sync. Make sure to update the required
7273	* fields before using them.
7274	*/
7275	static DECLCALLBACK(int) hmR0VmxCallRing3Callback(PVMCPU pVCpu, VMMCALLRING3 enmOperation, void *pvUser)
7276	{
7277	if (enmOperation == VMMCALLRING3_VM_R0_ASSERTION)
7278	{
7279	/*
7280	* !!! IMPORTANT !!!
7281	* If you modify code here, check whether hmR0VmxLeave() and hmR0VmxLeaveSession() needs to be updated too.
7282	* This is a stripped down version which gets out ASAP, trying to not trigger any further assertions.
7283	*/
7284	VMMRZCallRing3RemoveNotification(pVCpu);
7285	VMMRZCallRing3Disable(pVCpu);
7286	RTTHREADPREEMPTSTATE PreemptState = RTTHREADPREEMPTSTATE_INITIALIZER;
7287	RTThreadPreemptDisable(&PreemptState);
7288
7289	CPUMR0FpuStateMaybeSaveGuestAndRestoreHost(pVCpu);
7290	CPUMR0DebugStateMaybeSaveGuestAndRestoreHost(pVCpu, true /* save DR6 */);
7291
7292	#if HC_ARCH_BITS == 64
7293	/* Restore host-state bits that VT-x only restores partially. */
7294	if ( (pVCpu->hm.s.vmx.fRestoreHostFlags & VMX_RESTORE_HOST_REQUIRED)
7295	&& (pVCpu->hm.s.vmx.fRestoreHostFlags & ~VMX_RESTORE_HOST_REQUIRED))
7296	VMXRestoreHostState(pVCpu->hm.s.vmx.fRestoreHostFlags, &pVCpu->hm.s.vmx.RestoreHost);
7297	pVCpu->hm.s.vmx.fRestoreHostFlags = 0;
7298	#endif
7299	/* Restore the lazy host MSRs as we're leaving VT-x context. */
7300	if (pVCpu->hm.s.vmx.fLazyMsrs)
7301	hmR0VmxLazyRestoreHostMsrs(pVCpu);
7302
7303	/* Update auto-load/store host MSRs values when we re-enter VT-x (as we could be on a different CPU). */
7304	pVCpu->hm.s.vmx.fUpdatedHostMsrs = false;
7305	VMCPU_CMPXCHG_STATE(pVCpu, VMCPUSTATE_STARTED_HM, VMCPUSTATE_STARTED_EXEC);
7306	if (pVCpu->hm.s.vmx.uVmcsState & HMVMX_VMCS_STATE_ACTIVE)
7307	{
7308	VMXClearVmcs(pVCpu->hm.s.vmx.HCPhysVmcs);
7309	pVCpu->hm.s.vmx.uVmcsState = HMVMX_VMCS_STATE_CLEAR;
7310	}
7311
7312	/** @todo eliminate the need for calling VMMR0ThreadCtxHookDisable here! */
7313	VMMR0ThreadCtxHookDisable(pVCpu);
7314	HMR0LeaveCpu(pVCpu);
7315	RTThreadPreemptRestore(&PreemptState);
7316	return VINF_SUCCESS;
7317	}
7318
7319	Assert(pVCpu);
7320	Assert(pvUser);
7321	Assert(VMMRZCallRing3IsEnabled(pVCpu));
7322	HMVMX_ASSERT_PREEMPT_SAFE();
7323
7324	VMMRZCallRing3Disable(pVCpu);
7325	Assert(VMMR0IsLogFlushDisabled(pVCpu));
7326
7327	Log4(("hmR0VmxCallRing3Callback->hmR0VmxLongJmpToRing3 pVCpu=%p idCpu=%RU32 enmOperation=%d\n", pVCpu, pVCpu->idCpu,
7328	enmOperation));
7329
7330	int rc = hmR0VmxLongJmpToRing3(pVCpu->CTX_SUFF(pVM), pVCpu, (PCPUMCTX)pvUser);
7331	AssertRCReturn(rc, rc);
7332
7333	VMMRZCallRing3Enable(pVCpu);
7334	return VINF_SUCCESS;
7335	}
7336
7337
7338	/**
7339	* Sets the interrupt-window exiting control in the VMCS which instructs VT-x to
7340	* cause a VM-exit as soon as the guest is in a state to receive interrupts.
7341	*
7342	* @param pVCpu The cross context virtual CPU structure.
7343	*/
7344	DECLINLINE(void) hmR0VmxSetIntWindowExitVmcs(PVMCPU pVCpu)
7345	{
7346	if (RT_LIKELY(pVCpu->CTX_SUFF(pVM)->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC_INT_WINDOW_EXIT))
7347	{
7348	if (!(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_INT_WINDOW_EXIT))
7349	{
7350	pVCpu->hm.s.vmx.u32ProcCtls \|= VMX_VMCS_CTRL_PROC_EXEC_INT_WINDOW_EXIT;
7351	int rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls);
7352	AssertRC(rc);
7353	Log4(("Setup interrupt-window exiting\n"));
7354	}
7355	} /* else we will deliver interrupts whenever the guest exits next and is in a state to receive events. */
7356	}
7357
7358
7359	/**
7360	* Clears the interrupt-window exiting control in the VMCS.
7361	*
7362	* @param pVCpu The cross context virtual CPU structure.
7363	*/
7364	DECLINLINE(void) hmR0VmxClearIntWindowExitVmcs(PVMCPU pVCpu)
7365	{
7366	Assert(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_INT_WINDOW_EXIT);
7367	pVCpu->hm.s.vmx.u32ProcCtls &= ~VMX_VMCS_CTRL_PROC_EXEC_INT_WINDOW_EXIT;
7368	int rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls);
7369	AssertRC(rc);
7370	Log4(("Cleared interrupt-window exiting\n"));
7371	}
7372
7373
7374	/**
7375	* Sets the NMI-window exiting control in the VMCS which instructs VT-x to
7376	* cause a VM-exit as soon as the guest is in a state to receive NMIs.
7377	*
7378	* @param pVCpu The cross context virtual CPU structure.
7379	*/
7380	DECLINLINE(void) hmR0VmxSetNmiWindowExitVmcs(PVMCPU pVCpu)
7381	{
7382	if (RT_LIKELY(pVCpu->CTX_SUFF(pVM)->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC_NMI_WINDOW_EXIT))
7383	{
7384	if (!(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_NMI_WINDOW_EXIT))
7385	{
7386	pVCpu->hm.s.vmx.u32ProcCtls \|= VMX_VMCS_CTRL_PROC_EXEC_NMI_WINDOW_EXIT;
7387	int rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls);
7388	AssertRC(rc);
7389	Log4(("Setup NMI-window exiting\n"));
7390	}
7391	} /* else we will deliver NMIs whenever we VM-exit next, even possibly nesting NMIs. Can't be helped on ancient CPUs. */
7392	}
7393
7394
7395	/**
7396	* Clears the NMI-window exiting control in the VMCS.
7397	*
7398	* @param pVCpu The cross context virtual CPU structure.
7399	*/
7400	DECLINLINE(void) hmR0VmxClearNmiWindowExitVmcs(PVMCPU pVCpu)
7401	{
7402	Assert(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_NMI_WINDOW_EXIT);
7403	pVCpu->hm.s.vmx.u32ProcCtls &= ~VMX_VMCS_CTRL_PROC_EXEC_NMI_WINDOW_EXIT;
7404	int rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls);
7405	AssertRC(rc);
7406	Log4(("Cleared NMI-window exiting\n"));
7407	}
7408
7409
7410	/**
7411	* Evaluates the event to be delivered to the guest and sets it as the pending
7412	* event.
7413	*
7414	* @returns The VT-x guest-interruptibility state.
7415	* @param pVCpu The cross context virtual CPU structure.
7416	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
7417	* out-of-sync. Make sure to update the required fields
7418	* before using them.
7419	*/
7420	static uint32_t hmR0VmxEvaluatePendingEvent(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
7421	{
7422	/* Get the current interruptibility-state of the guest and then figure out what can be injected. */
7423	uint32_t const uIntrState = hmR0VmxGetGuestIntrState(pVCpu, pMixedCtx);
7424	bool const fBlockMovSS = RT_BOOL(uIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_MOVSS);
7425	bool const fBlockSti = RT_BOOL(uIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI);
7426	bool const fBlockNmi = RT_BOOL(uIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_NMI);
7427
7428	Assert(!fBlockSti \|\| HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_RFLAGS));
7429	Assert(!(uIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_SMI)); /* We don't support block-by-SMI yet.*/
7430	Assert(!fBlockSti \|\| pMixedCtx->eflags.Bits.u1IF); /* Cannot set block-by-STI when interrupts are disabled. */
7431	Assert(!TRPMHasTrap(pVCpu));
7432
7433	#ifdef VBOX_WITH_NEW_APIC
7434	if (VMCPU_FF_TEST_AND_CLEAR(pVCpu, VMCPU_FF_UPDATE_APIC))
7435	APICUpdatePendingInterrupts(pVCpu);
7436	#endif
7437
7438	/*
7439	* Toggling of interrupt force-flags here is safe since we update TRPM on premature exits
7440	* to ring-3 before executing guest code, see hmR0VmxExitToRing3(). We must NOT restore these force-flags.
7441	*/
7442	/** @todo SMI. SMIs take priority over NMIs. */
7443	if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_INTERRUPT_NMI)) /* NMI. NMIs take priority over regular interrupts. */
7444	{
7445	/* On some CPUs block-by-STI also blocks NMIs. See Intel spec. 26.3.1.5 "Checks On Guest Non-Register State". */
7446	if ( !pVCpu->hm.s.Event.fPending
7447	&& !fBlockNmi
7448	&& !fBlockSti
7449	&& !fBlockMovSS)
7450	{
7451	Log4(("Pending NMI vcpu[%RU32]\n", pVCpu->idCpu));
7452	uint32_t u32IntInfo = X86_XCPT_NMI \| VMX_EXIT_INTERRUPTION_INFO_VALID;
7453	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_NMI << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
7454
7455	hmR0VmxSetPendingEvent(pVCpu, u32IntInfo, 0 /* cbInstr /, 0 / u32ErrCode /, 0 / GCPtrFaultAddress */);
7456	VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_INTERRUPT_NMI);
7457	}
7458	else
7459	hmR0VmxSetNmiWindowExitVmcs(pVCpu);
7460	}
7461	/*
7462	* Check if the guest can receive external interrupts (PIC/APIC). Once PDMGetInterrupt() returns
7463	* a valid interrupt we must- deliver the interrupt. We can no longer re-request it from the APIC.
7464	*/
7465	else if ( VMCPU_FF_IS_PENDING(pVCpu, (VMCPU_FF_INTERRUPT_APIC \| VMCPU_FF_INTERRUPT_PIC))
7466	&& !pVCpu->hm.s.fSingleInstruction)
7467	{
7468	Assert(!DBGFIsStepping(pVCpu));
7469	int rc = hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx);
7470	AssertRC(rc);
7471	bool const fBlockInt = !(pMixedCtx->eflags.u32 & X86_EFL_IF);
7472	if ( !pVCpu->hm.s.Event.fPending
7473	&& !fBlockInt
7474	&& !fBlockSti
7475	&& !fBlockMovSS)
7476	{
7477	uint8_t u8Interrupt;
7478	rc = PDMGetInterrupt(pVCpu, &u8Interrupt);
7479	if (RT_SUCCESS(rc))
7480	{
7481	Log4(("Pending interrupt vcpu[%RU32] u8Interrupt=%#x \n", pVCpu->idCpu, u8Interrupt));
7482	uint32_t u32IntInfo = u8Interrupt \| VMX_EXIT_INTERRUPTION_INFO_VALID;
7483	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_EXT_INT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
7484
7485	hmR0VmxSetPendingEvent(pVCpu, u32IntInfo, 0 /* cbInstr /, 0 / u32ErrCode /, 0 / GCPtrfaultAddress */);
7486	}
7487	else if (rc == VERR_APIC_INTR_MASKED_BY_TPR)
7488	{
7489	if (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_TPR_SHADOW)
7490	hmR0VmxApicSetTprThreshold(pVCpu, u8Interrupt >> 4);
7491	STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchTprMaskedIrq);
7492	}
7493	else
7494	STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchGuestIrq);
7495	}
7496	else
7497	hmR0VmxSetIntWindowExitVmcs(pVCpu);
7498	}
7499
7500	return uIntrState;
7501	}
7502
7503
7504	/**
7505	* Sets a pending-debug exception to be delivered to the guest if the guest is
7506	* single-stepping in the VMCS.
7507	*
7508	* @param pVCpu The cross context virtual CPU structure.
7509	*/
7510	DECLINLINE(void) hmR0VmxSetPendingDebugXcptVmcs(PVMCPU pVCpu)
7511	{
7512	Assert(HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_RFLAGS)); NOREF(pVCpu);
7513	int rc = VMXWriteVmcs32(VMX_VMCS_GUEST_PENDING_DEBUG_EXCEPTIONS, VMX_VMCS_GUEST_DEBUG_EXCEPTIONS_BS);
7514	AssertRC(rc);
7515	}
7516
7517
7518	/**
7519	* Injects any pending events into the guest if the guest is in a state to
7520	* receive them.
7521	*
7522	* @returns Strict VBox status code (i.e. informational status codes too).
7523	* @param pVCpu The cross context virtual CPU structure.
7524	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
7525	* out-of-sync. Make sure to update the required fields
7526	* before using them.
7527	* @param uIntrState The VT-x guest-interruptibility state.
7528	* @param fStepping Running in hmR0VmxRunGuestCodeStep() and we should
7529	* return VINF_EM_DBG_STEPPED if the event was
7530	* dispatched directly.
7531	*/
7532	static VBOXSTRICTRC hmR0VmxInjectPendingEvent(PVMCPU pVCpu, PCPUMCTX pMixedCtx, uint32_t uIntrState, bool fStepping)
7533	{
7534	HMVMX_ASSERT_PREEMPT_SAFE();
7535	Assert(VMMRZCallRing3IsEnabled(pVCpu));
7536
7537	bool fBlockMovSS = RT_BOOL(uIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_MOVSS);
7538	bool fBlockSti = RT_BOOL(uIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI);
7539
7540	Assert(!fBlockSti \|\| HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_RFLAGS));
7541	Assert(!(uIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_SMI)); /* We don't support block-by-SMI yet.*/
7542	Assert(!fBlockSti \|\| pMixedCtx->eflags.Bits.u1IF); /* Cannot set block-by-STI when interrupts are disabled. */
7543	Assert(!TRPMHasTrap(pVCpu));
7544
7545	VBOXSTRICTRC rcStrict = VINF_SUCCESS;
7546	if (pVCpu->hm.s.Event.fPending)
7547	{
7548	/*
7549	* Do -not- clear any interrupt-window exiting control here. We might have an interrupt
7550	* pending even while injecting an event and in this case, we want a VM-exit as soon as
7551	* the guest is ready for the next interrupt, see @bugref{6208#c45}.
7552	*
7553	* See Intel spec. 26.6.5 "Interrupt-Window Exiting and Virtual-Interrupt Delivery".
7554	*/
7555	uint32_t const uIntType = VMX_EXIT_INTERRUPTION_INFO_TYPE(pVCpu->hm.s.Event.u64IntInfo);
7556	#ifdef VBOX_STRICT
7557	if (uIntType == VMX_EXIT_INTERRUPTION_INFO_TYPE_EXT_INT)
7558	{
7559	bool const fBlockInt = !(pMixedCtx->eflags.u32 & X86_EFL_IF);
7560	Assert(!fBlockInt);
7561	Assert(!fBlockSti);
7562	Assert(!fBlockMovSS);
7563	}
7564	else if (uIntType == VMX_EXIT_INTERRUPTION_INFO_TYPE_NMI)
7565	{
7566	bool const fBlockNmi = RT_BOOL(uIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_NMI);
7567	Assert(!fBlockSti);
7568	Assert(!fBlockMovSS);
7569	Assert(!fBlockNmi);
7570	}
7571	#endif
7572	Log4(("Injecting pending event vcpu[%RU32] u64IntInfo=%#RX64 Type=%#x\n", pVCpu->idCpu, pVCpu->hm.s.Event.u64IntInfo,
7573	(uint8_t)uIntType));
7574	rcStrict = hmR0VmxInjectEventVmcs(pVCpu, pMixedCtx, pVCpu->hm.s.Event.u64IntInfo, pVCpu->hm.s.Event.cbInstr,
7575	pVCpu->hm.s.Event.u32ErrCode, pVCpu->hm.s.Event.GCPtrFaultAddress,
7576	fStepping, &uIntrState);
7577	AssertRCReturn(VBOXSTRICTRC_VAL(rcStrict), rcStrict);
7578
7579	/* Update the interruptibility-state as it could have been changed by
7580	hmR0VmxInjectEventVmcs() (e.g. real-on-v86 guest injecting software interrupts) */
7581	fBlockMovSS = RT_BOOL(uIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_MOVSS);
7582	fBlockSti = RT_BOOL(uIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI);
7583
7584	if (uIntType == VMX_EXIT_INTERRUPTION_INFO_TYPE_EXT_INT)
7585	STAM_COUNTER_INC(&pVCpu->hm.s.StatInjectInterrupt);
7586	else
7587	STAM_COUNTER_INC(&pVCpu->hm.s.StatInjectXcpt);
7588	}
7589
7590	/* Deliver pending debug exception if the guest is single-stepping. Evaluate and set the BS bit. */
7591	if ( fBlockSti
7592	\|\| fBlockMovSS)
7593	{
7594	if (!pVCpu->hm.s.fSingleInstruction)
7595	{
7596	/*
7597	* The pending-debug exceptions field is cleared on all VM-exits except VMX_EXIT_TPR_BELOW_THRESHOLD,
7598	* VMX_EXIT_MTF, VMX_EXIT_APIC_WRITE and VMX_EXIT_VIRTUALIZED_EOI.
7599	* See Intel spec. 27.3.4 "Saving Non-Register State".
7600	*/
7601	Assert(!DBGFIsStepping(pVCpu));
7602	int rc2 = hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx);
7603	AssertRCReturn(rc2, rc2);
7604	if (pMixedCtx->eflags.Bits.u1TF)
7605	hmR0VmxSetPendingDebugXcptVmcs(pVCpu);
7606	}
7607	else if (pMixedCtx->eflags.Bits.u1TF)
7608	{
7609	/*
7610	* We are single-stepping in the hypervisor debugger using EFLAGS.TF. Clear interrupt inhibition as setting the
7611	* BS bit would mean delivering a #DB to the guest upon VM-entry when it shouldn't be.
7612	*/
7613	Assert(!(pVCpu->CTX_SUFF(pVM)->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC_MONITOR_TRAP_FLAG));
7614	uIntrState = 0;
7615	}
7616	}
7617
7618	/*
7619	* There's no need to clear the VM-entry interruption-information field here if we're not injecting anything.
7620	* VT-x clears the valid bit on every VM-exit. See Intel spec. 24.8.3 "VM-Entry Controls for Event Injection".
7621	*/
7622	int rc2 = hmR0VmxLoadGuestIntrState(pVCpu, uIntrState);
7623	AssertRC(rc2);
7624
7625	Assert(rcStrict == VINF_SUCCESS \|\| rcStrict == VINF_EM_RESET \|\| (rcStrict == VINF_EM_DBG_STEPPED && fStepping));
7626	NOREF(fBlockMovSS); NOREF(fBlockSti);
7627	return rcStrict;
7628	}
7629
7630
7631	/**
7632	* Sets an invalid-opcode (\#UD) exception as pending-for-injection into the VM.
7633	*
7634	* @param pVCpu The cross context virtual CPU structure.
7635	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
7636	* out-of-sync. Make sure to update the required fields
7637	* before using them.
7638	*/
7639	DECLINLINE(void) hmR0VmxSetPendingXcptUD(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
7640	{
7641	NOREF(pMixedCtx);
7642	uint32_t u32IntInfo = X86_XCPT_UD \| VMX_EXIT_INTERRUPTION_INFO_VALID;
7643	hmR0VmxSetPendingEvent(pVCpu, u32IntInfo, 0 /* cbInstr /, 0 / u32ErrCode /, 0 / GCPtrFaultAddress */);
7644	}
7645
7646
7647	/**
7648	* Injects a double-fault (\#DF) exception into the VM.
7649	*
7650	* @returns Strict VBox status code (i.e. informational status codes too).
7651	* @param pVCpu The cross context virtual CPU structure.
7652	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
7653	* out-of-sync. Make sure to update the required fields
7654	* before using them.
7655	* @param fStepping Whether we're running in hmR0VmxRunGuestCodeStep()
7656	* and should return VINF_EM_DBG_STEPPED if the event
7657	* is injected directly (register modified by us, not
7658	* by hardware on VM-entry).
7659	* @param puIntrState Pointer to the current guest interruptibility-state.
7660	* This interruptibility-state will be updated if
7661	* necessary. This cannot not be NULL.
7662	*/
7663	DECLINLINE(VBOXSTRICTRC) hmR0VmxInjectXcptDF(PVMCPU pVCpu, PCPUMCTX pMixedCtx, bool fStepping, uint32_t *puIntrState)
7664	{
7665	uint32_t u32IntInfo = X86_XCPT_DF \| VMX_EXIT_INTERRUPTION_INFO_VALID;
7666	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_HW_XCPT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
7667	u32IntInfo \|= VMX_EXIT_INTERRUPTION_INFO_ERROR_CODE_VALID;
7668	return hmR0VmxInjectEventVmcs(pVCpu, pMixedCtx, u32IntInfo, 0 /* cbInstr /, 0 / u32ErrCode /, 0 / GCPtrFaultAddress */,
7669	fStepping, puIntrState);
7670	}
7671
7672
7673	/**
7674	* Sets a debug (\#DB) exception as pending-for-injection into the VM.
7675	*
7676	* @param pVCpu The cross context virtual CPU structure.
7677	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
7678	* out-of-sync. Make sure to update the required fields
7679	* before using them.
7680	*/
7681	DECLINLINE(void) hmR0VmxSetPendingXcptDB(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
7682	{
7683	NOREF(pMixedCtx);
7684	uint32_t u32IntInfo = X86_XCPT_DB \| VMX_EXIT_INTERRUPTION_INFO_VALID;
7685	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_HW_XCPT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
7686	hmR0VmxSetPendingEvent(pVCpu, u32IntInfo, 0 /* cbInstr /, 0 / u32ErrCode /, 0 / GCPtrFaultAddress */);
7687	}
7688
7689
7690	/**
7691	* Sets an overflow (\#OF) exception as pending-for-injection into the VM.
7692	*
7693	* @param pVCpu The cross context virtual CPU structure.
7694	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
7695	* out-of-sync. Make sure to update the required fields
7696	* before using them.
7697	* @param cbInstr The value of RIP that is to be pushed on the guest
7698	* stack.
7699	*/
7700	DECLINLINE(void) hmR0VmxSetPendingXcptOF(PVMCPU pVCpu, PCPUMCTX pMixedCtx, uint32_t cbInstr)
7701	{
7702	NOREF(pMixedCtx);
7703	uint32_t u32IntInfo = X86_XCPT_OF \| VMX_EXIT_INTERRUPTION_INFO_VALID;
7704	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_SW_INT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
7705	hmR0VmxSetPendingEvent(pVCpu, u32IntInfo, cbInstr, 0 /* u32ErrCode /, 0 / GCPtrFaultAddress */);
7706	}
7707
7708
7709	/**
7710	* Injects a general-protection (\#GP) fault into the VM.
7711	*
7712	* @returns Strict VBox status code (i.e. informational status codes too).
7713	* @param pVCpu The cross context virtual CPU structure.
7714	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
7715	* out-of-sync. Make sure to update the required fields
7716	* before using them.
7717	* @param fErrorCodeValid Whether the error code is valid (depends on the CPU
7718	* mode, i.e. in real-mode it's not valid).
7719	* @param u32ErrorCode The error code associated with the \#GP.
7720	* @param fStepping Whether we're running in
7721	* hmR0VmxRunGuestCodeStep() and should return
7722	* VINF_EM_DBG_STEPPED if the event is injected
7723	* directly (register modified by us, not by
7724	* hardware on VM-entry).
7725	* @param puIntrState Pointer to the current guest interruptibility-state.
7726	* This interruptibility-state will be updated if
7727	* necessary. This cannot not be NULL.
7728	*/
7729	DECLINLINE(VBOXSTRICTRC) hmR0VmxInjectXcptGP(PVMCPU pVCpu, PCPUMCTX pMixedCtx, bool fErrorCodeValid, uint32_t u32ErrorCode,
7730	bool fStepping, uint32_t *puIntrState)
7731	{
7732	uint32_t u32IntInfo = X86_XCPT_GP \| VMX_EXIT_INTERRUPTION_INFO_VALID;
7733	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_HW_XCPT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
7734	if (fErrorCodeValid)
7735	u32IntInfo \|= VMX_EXIT_INTERRUPTION_INFO_ERROR_CODE_VALID;
7736	return hmR0VmxInjectEventVmcs(pVCpu, pMixedCtx, u32IntInfo, 0 /* cbInstr /, u32ErrorCode, 0 / GCPtrFaultAddress */,
7737	fStepping, puIntrState);
7738	}
7739
7740
7741	/**
7742	* Sets a general-protection (\#GP) exception as pending-for-injection into the
7743	* VM.
7744	*
7745	* @param pVCpu The cross context virtual CPU structure.
7746	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
7747	* out-of-sync. Make sure to update the required fields
7748	* before using them.
7749	* @param u32ErrorCode The error code associated with the \#GP.
7750	*/
7751	DECLINLINE(void) hmR0VmxSetPendingXcptGP(PVMCPU pVCpu, PCPUMCTX pMixedCtx, uint32_t u32ErrorCode)
7752	{
7753	NOREF(pMixedCtx);
7754	uint32_t u32IntInfo = X86_XCPT_GP \| VMX_EXIT_INTERRUPTION_INFO_VALID;
7755	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_HW_XCPT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
7756	u32IntInfo \|= VMX_EXIT_INTERRUPTION_INFO_ERROR_CODE_VALID;
7757	hmR0VmxSetPendingEvent(pVCpu, u32IntInfo, 0 /* cbInstr /, u32ErrorCode, 0 / GCPtrFaultAddress */);
7758	}
7759
7760
7761	/**
7762	* Sets a software interrupt (INTn) as pending-for-injection into the VM.
7763	*
7764	* @param pVCpu The cross context virtual CPU structure.
7765	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
7766	* out-of-sync. Make sure to update the required fields
7767	* before using them.
7768	* @param uVector The software interrupt vector number.
7769	* @param cbInstr The value of RIP that is to be pushed on the guest
7770	* stack.
7771	*/
7772	DECLINLINE(void) hmR0VmxSetPendingIntN(PVMCPU pVCpu, PCPUMCTX pMixedCtx, uint16_t uVector, uint32_t cbInstr)
7773	{
7774	NOREF(pMixedCtx);
7775	uint32_t u32IntInfo = uVector \| VMX_EXIT_INTERRUPTION_INFO_VALID;
7776	if ( uVector == X86_XCPT_BP
7777	\|\| uVector == X86_XCPT_OF)
7778	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_SW_XCPT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
7779	else
7780	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_SW_INT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
7781	hmR0VmxSetPendingEvent(pVCpu, u32IntInfo, cbInstr, 0 /* u32ErrCode /, 0 / GCPtrFaultAddress */);
7782	}
7783
7784
7785	/**
7786	* Pushes a 2-byte value onto the real-mode (in virtual-8086 mode) guest's
7787	* stack.
7788	*
7789	* @returns Strict VBox status code (i.e. informational status codes too).
7790	* @retval VINF_EM_RESET if pushing a value to the stack caused a triple-fault.
7791	* @param pVM The cross context VM structure.
7792	* @param pMixedCtx Pointer to the guest-CPU context.
7793	* @param uValue The value to push to the guest stack.
7794	*/
7795	DECLINLINE(VBOXSTRICTRC) hmR0VmxRealModeGuestStackPush(PVM pVM, PCPUMCTX pMixedCtx, uint16_t uValue)
7796	{
7797	/*
7798	* The stack limit is 0xffff in real-on-virtual 8086 mode. Real-mode with weird stack limits cannot be run in
7799	* virtual 8086 mode in VT-x. See Intel spec. 26.3.1.2 "Checks on Guest Segment Registers".
7800	* See Intel Instruction reference for PUSH and Intel spec. 22.33.1 "Segment Wraparound".
7801	*/
7802	if (pMixedCtx->sp == 1)
7803	return VINF_EM_RESET;
7804	pMixedCtx->sp -= sizeof(uint16_t); /* May wrap around which is expected behaviour. */
7805	int rc = PGMPhysSimpleWriteGCPhys(pVM, pMixedCtx->ss.u64Base + pMixedCtx->sp, &uValue, sizeof(uint16_t));
7806	AssertRC(rc);
7807	return rc;
7808	}
7809
7810
7811	/**
7812	* Injects an event into the guest upon VM-entry by updating the relevant fields
7813	* in the VM-entry area in the VMCS.
7814	*
7815	* @returns Strict VBox status code (i.e. informational status codes too).
7816	* @retval VINF_SUCCESS if the event is successfully injected into the VMCS.
7817	* @retval VINF_EM_RESET if event injection resulted in a triple-fault.
7818	*
7819	* @param pVCpu The cross context virtual CPU structure.
7820	* @param pMixedCtx Pointer to the guest-CPU context. The data may
7821	* be out-of-sync. Make sure to update the required
7822	* fields before using them.
7823	* @param u64IntInfo The VM-entry interruption-information field.
7824	* @param cbInstr The VM-entry instruction length in bytes (for
7825	* software interrupts, exceptions and privileged
7826	* software exceptions).
7827	* @param u32ErrCode The VM-entry exception error code.
7828	* @param GCPtrFaultAddress The page-fault address for \#PF exceptions.
7829	* @param puIntrState Pointer to the current guest interruptibility-state.
7830	* This interruptibility-state will be updated if
7831	* necessary. This cannot not be NULL.
7832	* @param fStepping Whether we're running in
7833	* hmR0VmxRunGuestCodeStep() and should return
7834	* VINF_EM_DBG_STEPPED if the event is injected
7835	* directly (register modified by us, not by
7836	* hardware on VM-entry).
7837	*
7838	* @remarks Requires CR0!
7839	* @remarks No-long-jump zone!!!
7840	*/
7841	static VBOXSTRICTRC hmR0VmxInjectEventVmcs(PVMCPU pVCpu, PCPUMCTX pMixedCtx, uint64_t u64IntInfo, uint32_t cbInstr,
7842	uint32_t u32ErrCode, RTGCUINTREG GCPtrFaultAddress, bool fStepping,
7843	uint32_t *puIntrState)
7844	{
7845	/* Intel spec. 24.8.3 "VM-Entry Controls for Event Injection" specifies the interruption-information field to be 32-bits. */
7846	AssertMsg(u64IntInfo >> 32 == 0, ("%#RX64\n", u64IntInfo));
7847	Assert(puIntrState);
7848	uint32_t u32IntInfo = (uint32_t)u64IntInfo;
7849
7850	uint32_t const uVector = VMX_EXIT_INTERRUPTION_INFO_VECTOR(u32IntInfo);
7851	uint32_t const uIntType = VMX_EXIT_INTERRUPTION_INFO_TYPE(u32IntInfo);
7852
7853	#ifdef VBOX_STRICT
7854	/* Validate the error-code-valid bit for hardware exceptions. */
7855	if (uIntType == VMX_EXIT_INTERRUPTION_INFO_TYPE_HW_XCPT)
7856	{
7857	switch (uVector)
7858	{
7859	case X86_XCPT_PF:
7860	case X86_XCPT_DF:
7861	case X86_XCPT_TS:
7862	case X86_XCPT_NP:
7863	case X86_XCPT_SS:
7864	case X86_XCPT_GP:
7865	case X86_XCPT_AC:
7866	AssertMsg(VMX_EXIT_INTERRUPTION_INFO_ERROR_CODE_IS_VALID(u32IntInfo),
7867	("Error-code-valid bit not set for exception that has an error code uVector=%#x\n", uVector));
7868	/* fallthru */
7869	default:
7870	break;
7871	}
7872	}
7873	#endif
7874
7875	/* Cannot inject an NMI when block-by-MOV SS is in effect. */
7876	Assert( uIntType != VMX_EXIT_INTERRUPTION_INFO_TYPE_NMI
7877	\|\| !(*puIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_MOVSS));
7878
7879	STAM_COUNTER_INC(&pVCpu->hm.s.paStatInjectedIrqsR0[uVector & MASK_INJECT_IRQ_STAT]);
7880
7881	/* We require CR0 to check if the guest is in real-mode. */
7882	int rc = hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
7883	AssertRCReturn(rc, rc);
7884
7885	/*
7886	* Hardware interrupts & exceptions cannot be delivered through the software interrupt redirection bitmap to the real
7887	* mode task in virtual-8086 mode. We must jump to the interrupt handler in the (real-mode) guest.
7888	* See Intel spec. 20.3 "Interrupt and Exception handling in Virtual-8086 Mode" for interrupt & exception classes.
7889	* See Intel spec. 20.1.4 "Interrupt and Exception Handling" for real-mode interrupt handling.
7890	*/
7891	if (CPUMIsGuestInRealModeEx(pMixedCtx))
7892	{
7893	PVM pVM = pVCpu->CTX_SUFF(pVM);
7894	if (!pVM->hm.s.vmx.fUnrestrictedGuest)
7895	{
7896	Assert(PDMVmmDevHeapIsEnabled(pVM));
7897	Assert(pVM->hm.s.vmx.pRealModeTSS);
7898
7899	/* We require RIP, RSP, RFLAGS, CS, IDTR. Save the required ones from the VMCS. */
7900	rc = hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
7901	rc \|= hmR0VmxSaveGuestTableRegs(pVCpu, pMixedCtx);
7902	rc \|= hmR0VmxSaveGuestRipRspRflags(pVCpu, pMixedCtx);
7903	AssertRCReturn(rc, rc);
7904	Assert(HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_RIP));
7905
7906	/* Check if the interrupt handler is present in the IVT (real-mode IDT). IDT limit is (4N - 1). */
7907	size_t const cbIdtEntry = sizeof(X86IDTR16);
7908	if (uVector * cbIdtEntry + (cbIdtEntry - 1) > pMixedCtx->idtr.cbIdt)
7909	{
7910	/* If we are trying to inject a #DF with no valid IDT entry, return a triple-fault. */
7911	if (uVector == X86_XCPT_DF)
7912	return VINF_EM_RESET;
7913
7914	/* If we're injecting a #GP with no valid IDT entry, inject a double-fault. */
7915	if (uVector == X86_XCPT_GP)
7916	return hmR0VmxInjectXcptDF(pVCpu, pMixedCtx, fStepping, puIntrState);
7917
7918	/* If we're injecting an interrupt/exception with no valid IDT entry, inject a general-protection fault. */
7919	/* No error codes for exceptions in real-mode. See Intel spec. 20.1.4 "Interrupt and Exception Handling" */
7920	return hmR0VmxInjectXcptGP(pVCpu, pMixedCtx, false /* fErrCodeValid /, 0 / u32ErrCode */,
7921	fStepping, puIntrState);
7922	}
7923
7924	/* Software exceptions (#BP and #OF exceptions thrown as a result of INT3 or INTO) */
7925	uint16_t uGuestIp = pMixedCtx->ip;
7926	if (uIntType == VMX_EXIT_INTERRUPTION_INFO_TYPE_SW_XCPT)
7927	{
7928	Assert(uVector == X86_XCPT_BP \|\| uVector == X86_XCPT_OF);
7929	/* #BP and #OF are both benign traps, we need to resume the next instruction. */
7930	uGuestIp = pMixedCtx->ip + (uint16_t)cbInstr;
7931	}
7932	else if (uIntType == VMX_EXIT_INTERRUPTION_INFO_TYPE_SW_INT)
7933	uGuestIp = pMixedCtx->ip + (uint16_t)cbInstr;
7934
7935	/* Get the code segment selector and offset from the IDT entry for the interrupt handler. */
7936	X86IDTR16 IdtEntry;
7937	RTGCPHYS GCPhysIdtEntry = (RTGCPHYS)pMixedCtx->idtr.pIdt + uVector * cbIdtEntry;
7938	rc = PGMPhysSimpleReadGCPhys(pVM, &IdtEntry, GCPhysIdtEntry, cbIdtEntry);
7939	AssertRCReturn(rc, rc);
7940
7941	/* Construct the stack frame for the interrupt/exception handler. */
7942	VBOXSTRICTRC rcStrict;
7943	rcStrict = hmR0VmxRealModeGuestStackPush(pVM, pMixedCtx, pMixedCtx->eflags.u32);
7944	if (rcStrict == VINF_SUCCESS)
7945	rcStrict = hmR0VmxRealModeGuestStackPush(pVM, pMixedCtx, pMixedCtx->cs.Sel);
7946	if (rcStrict == VINF_SUCCESS)
7947	rcStrict = hmR0VmxRealModeGuestStackPush(pVM, pMixedCtx, uGuestIp);
7948
7949	/* Clear the required eflag bits and jump to the interrupt/exception handler. */
7950	if (rcStrict == VINF_SUCCESS)
7951	{
7952	pMixedCtx->eflags.u32 &= ~(X86_EFL_IF \| X86_EFL_TF \| X86_EFL_RF \| X86_EFL_AC);
7953	pMixedCtx->rip = IdtEntry.offSel;
7954	pMixedCtx->cs.Sel = IdtEntry.uSel;
7955	pMixedCtx->cs.ValidSel = IdtEntry.uSel;
7956	pMixedCtx->cs.u64Base = IdtEntry.uSel << cbIdtEntry;
7957	if ( uIntType == VMX_EXIT_INTERRUPTION_INFO_TYPE_HW_XCPT
7958	&& uVector == X86_XCPT_PF)
7959	pMixedCtx->cr2 = GCPtrFaultAddress;
7960
7961	/* If any other guest-state bits are changed here, make sure to update
7962	hmR0VmxPreRunGuestCommitted() when thread-context hooks are used. */
7963	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_SEGMENT_REGS
7964	\| HM_CHANGED_GUEST_RIP
7965	\| HM_CHANGED_GUEST_RFLAGS
7966	\| HM_CHANGED_GUEST_RSP);
7967
7968	/* We're clearing interrupts, which means no block-by-STI interrupt-inhibition. */
7969	if (*puIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI)
7970	{
7971	Assert( uIntType != VMX_EXIT_INTERRUPTION_INFO_TYPE_NMI
7972	&& uIntType != VMX_EXIT_INTERRUPTION_INFO_TYPE_EXT_INT);
7973	Log4(("Clearing inhibition due to STI.\n"));
7974	*puIntrState &= ~VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI;
7975	}
7976	Log4(("Injecting real-mode: u32IntInfo=%#x u32ErrCode=%#x cbInstr=%#x Eflags=%#x CS:EIP=%04x:%04x\n",
7977	u32IntInfo, u32ErrCode, cbInstr, pMixedCtx->eflags.u, pMixedCtx->cs.Sel, pMixedCtx->eip));
7978
7979	/* The event has been truly dispatched. Mark it as no longer pending so we don't attempt to 'undo'
7980	it, if we are returning to ring-3 before executing guest code. */
7981	pVCpu->hm.s.Event.fPending = false;
7982
7983	/* Make hmR0VmxPreRunGuest return if we're stepping since we've changed cs:rip. */
7984	if (fStepping)
7985	rcStrict = VINF_EM_DBG_STEPPED;
7986	}
7987	AssertMsg(rcStrict == VINF_SUCCESS \|\| rcStrict == VINF_EM_RESET \|\| (rcStrict == VINF_EM_DBG_STEPPED && fStepping),
7988	("%Rrc\n", VBOXSTRICTRC_VAL(rcStrict)));
7989	return rcStrict;
7990	}
7991
7992	/*
7993	* For unrestricted execution enabled CPUs running real-mode guests, we must not set the deliver-error-code bit.
7994	* See Intel spec. 26.2.1.3 "VM-Entry Control Fields".
7995	*/
7996	u32IntInfo &= ~VMX_EXIT_INTERRUPTION_INFO_ERROR_CODE_VALID;
7997	}
7998
7999	/* Validate. */
8000	Assert(VMX_EXIT_INTERRUPTION_INFO_IS_VALID(u32IntInfo)); /* Bit 31 (Valid bit) must be set by caller. */
8001	Assert(!VMX_EXIT_INTERRUPTION_INFO_NMI_UNBLOCK_IRET(u32IntInfo)); /* Bit 12 MBZ. */
8002	Assert(!(u32IntInfo & 0x7ffff000)); /* Bits 30:12 MBZ. */
8003
8004	/* Inject. */
8005	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_ENTRY_INTERRUPTION_INFO, u32IntInfo);
8006	if (VMX_EXIT_INTERRUPTION_INFO_ERROR_CODE_IS_VALID(u32IntInfo))
8007	rc \|= VMXWriteVmcs32(VMX_VMCS32_CTRL_ENTRY_EXCEPTION_ERRCODE, u32ErrCode);
8008	rc \|= VMXWriteVmcs32(VMX_VMCS32_CTRL_ENTRY_INSTR_LENGTH, cbInstr);
8009
8010	if ( VMX_EXIT_INTERRUPTION_INFO_TYPE(u32IntInfo) == VMX_EXIT_INTERRUPTION_INFO_TYPE_HW_XCPT
8011	&& uVector == X86_XCPT_PF)
8012	pMixedCtx->cr2 = GCPtrFaultAddress;
8013
8014	Log4(("Injecting vcpu[%RU32] u32IntInfo=%#x u32ErrCode=%#x cbInstr=%#x pMixedCtx->uCR2=%#RX64\n", pVCpu->idCpu,
8015	u32IntInfo, u32ErrCode, cbInstr, pMixedCtx->cr2));
8016
8017	AssertRCReturn(rc, rc);
8018	return VINF_SUCCESS;
8019	}
8020
8021
8022	/**
8023	* Clears the interrupt-window exiting control in the VMCS and if necessary
8024	* clears the current event in the VMCS as well.
8025	*
8026	* @returns VBox status code.
8027	* @param pVCpu The cross context virtual CPU structure.
8028	*
8029	* @remarks Use this function only to clear events that have not yet been
8030	* delivered to the guest but are injected in the VMCS!
8031	* @remarks No-long-jump zone!!!
8032	*/
8033	static void hmR0VmxClearIntNmiWindowsVmcs(PVMCPU pVCpu)
8034	{
8035	Log4Func(("vcpu[%d]\n", pVCpu->idCpu));
8036
8037	if (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_INT_WINDOW_EXIT)
8038	hmR0VmxClearIntWindowExitVmcs(pVCpu);
8039
8040	if (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_NMI_WINDOW_EXIT)
8041	hmR0VmxClearNmiWindowExitVmcs(pVCpu);
8042	}
8043
8044
8045	/**
8046	* Enters the VT-x session.
8047	*
8048	* @returns VBox status code.
8049	* @param pVM The cross context VM structure.
8050	* @param pVCpu The cross context virtual CPU structure.
8051	* @param pCpu Pointer to the CPU info struct.
8052	*/
8053	VMMR0DECL(int) VMXR0Enter(PVM pVM, PVMCPU pVCpu, PHMGLOBALCPUINFO pCpu)
8054	{
8055	AssertPtr(pVM);
8056	AssertPtr(pVCpu);
8057	Assert(pVM->hm.s.vmx.fSupported);
8058	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
8059	NOREF(pCpu); NOREF(pVM);
8060
8061	LogFlowFunc(("pVM=%p pVCpu=%p\n", pVM, pVCpu));
8062	Assert(HMCPU_CF_IS_SET(pVCpu, HM_CHANGED_HOST_CONTEXT \| HM_CHANGED_HOST_GUEST_SHARED_STATE));
8063
8064	#ifdef VBOX_STRICT
8065	/* At least verify VMX is enabled, since we can't check if we're in VMX root mode without #GP'ing. */
8066	RTCCUINTREG uHostCR4 = ASMGetCR4();
8067	if (!(uHostCR4 & X86_CR4_VMXE))
8068	{
8069	LogRel(("VMXR0Enter: X86_CR4_VMXE bit in CR4 is not set!\n"));
8070	return VERR_VMX_X86_CR4_VMXE_CLEARED;
8071	}
8072	#endif
8073
8074	/*
8075	* Load the VCPU's VMCS as the current (and active) one.
8076	*/
8077	Assert(pVCpu->hm.s.vmx.uVmcsState & HMVMX_VMCS_STATE_CLEAR);
8078	int rc = VMXActivateVmcs(pVCpu->hm.s.vmx.HCPhysVmcs);
8079	if (RT_FAILURE(rc))
8080	return rc;
8081
8082	pVCpu->hm.s.vmx.uVmcsState = HMVMX_VMCS_STATE_ACTIVE;
8083	pVCpu->hm.s.fLeaveDone = false;
8084	Log4Func(("Activated Vmcs. HostCpuId=%u\n", RTMpCpuId()));
8085
8086	return VINF_SUCCESS;
8087	}
8088
8089
8090	/**
8091	* The thread-context callback (only on platforms which support it).
8092	*
8093	* @param enmEvent The thread-context event.
8094	* @param pVCpu The cross context virtual CPU structure.
8095	* @param fGlobalInit Whether global VT-x/AMD-V init. was used.
8096	* @thread EMT(pVCpu)
8097	*/
8098	VMMR0DECL(void) VMXR0ThreadCtxCallback(RTTHREADCTXEVENT enmEvent, PVMCPU pVCpu, bool fGlobalInit)
8099	{
8100	NOREF(fGlobalInit);
8101
8102	switch (enmEvent)
8103	{
8104	case RTTHREADCTXEVENT_OUT:
8105	{
8106	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
8107	Assert(VMMR0ThreadCtxHookIsEnabled(pVCpu));
8108	VMCPU_ASSERT_EMT(pVCpu);
8109
8110	PVM pVM = pVCpu->CTX_SUFF(pVM);
8111	PCPUMCTX pMixedCtx = CPUMQueryGuestCtxPtr(pVCpu);
8112
8113	/* No longjmps (logger flushes, locks) in this fragile context. */
8114	VMMRZCallRing3Disable(pVCpu);
8115	Log4Func(("Preempting: HostCpuId=%u\n", RTMpCpuId()));
8116
8117	/*
8118	* Restore host-state (FPU, debug etc.)
8119	*/
8120	if (!pVCpu->hm.s.fLeaveDone)
8121	{
8122	/* Do -not- save guest-state here as we might already be in the middle of saving it (esp. bad if we are
8123	holding the PGM lock while saving the guest state (see hmR0VmxSaveGuestControlRegs()). */
8124	hmR0VmxLeave(pVM, pVCpu, pMixedCtx, false /* fSaveGuestState */);
8125	pVCpu->hm.s.fLeaveDone = true;
8126	}
8127
8128	/* Leave HM context, takes care of local init (term). */
8129	int rc = HMR0LeaveCpu(pVCpu);
8130	AssertRC(rc); NOREF(rc);
8131
8132	/* Restore longjmp state. */
8133	VMMRZCallRing3Enable(pVCpu);
8134	STAM_REL_COUNTER_INC(&pVCpu->hm.s.StatSwitchPreempt);
8135	break;
8136	}
8137
8138	case RTTHREADCTXEVENT_IN:
8139	{
8140	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
8141	Assert(VMMR0ThreadCtxHookIsEnabled(pVCpu));
8142	VMCPU_ASSERT_EMT(pVCpu);
8143
8144	/* No longjmps here, as we don't want to trigger preemption (& its hook) while resuming. */
8145	VMMRZCallRing3Disable(pVCpu);
8146	Log4Func(("Resumed: HostCpuId=%u\n", RTMpCpuId()));
8147
8148	/* Initialize the bare minimum state required for HM. This takes care of
8149	initializing VT-x if necessary (onlined CPUs, local init etc.) */
8150	int rc = HMR0EnterCpu(pVCpu);
8151	AssertRC(rc);
8152	Assert(HMCPU_CF_IS_SET(pVCpu, HM_CHANGED_HOST_CONTEXT \| HM_CHANGED_HOST_GUEST_SHARED_STATE));
8153
8154	/* Load the active VMCS as the current one. */
8155	if (pVCpu->hm.s.vmx.uVmcsState & HMVMX_VMCS_STATE_CLEAR)
8156	{
8157	rc = VMXActivateVmcs(pVCpu->hm.s.vmx.HCPhysVmcs);
8158	AssertRC(rc); NOREF(rc);
8159	pVCpu->hm.s.vmx.uVmcsState = HMVMX_VMCS_STATE_ACTIVE;
8160	Log4Func(("Resumed: Activated Vmcs. HostCpuId=%u\n", RTMpCpuId()));
8161	}
8162	pVCpu->hm.s.fLeaveDone = false;
8163
8164	/* Restore longjmp state. */
8165	VMMRZCallRing3Enable(pVCpu);
8166	break;
8167	}
8168
8169	default:
8170	break;
8171	}
8172	}
8173
8174
8175	/**
8176	* Saves the host state in the VMCS host-state.
8177	* Sets up the VM-exit MSR-load area.
8178	*
8179	* The CPU state will be loaded from these fields on every successful VM-exit.
8180	*
8181	* @returns VBox status code.
8182	* @param pVM The cross context VM structure.
8183	* @param pVCpu The cross context virtual CPU structure.
8184	*
8185	* @remarks No-long-jump zone!!!
8186	*/
8187	static int hmR0VmxSaveHostState(PVM pVM, PVMCPU pVCpu)
8188	{
8189	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
8190
8191	int rc = VINF_SUCCESS;
8192	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_HOST_CONTEXT))
8193	{
8194	rc = hmR0VmxSaveHostControlRegs(pVM, pVCpu);
8195	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveHostControlRegisters failed! rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8196
8197	rc = hmR0VmxSaveHostSegmentRegs(pVM, pVCpu);
8198	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveHostSegmentRegisters failed! rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8199
8200	rc = hmR0VmxSaveHostMsrs(pVM, pVCpu);
8201	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveHostMsrs failed! rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8202
8203	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_HOST_CONTEXT);
8204	}
8205	return rc;
8206	}
8207
8208
8209	/**
8210	* Saves the host state in the VMCS host-state.
8211	*
8212	* @returns VBox status code.
8213	* @param pVM The cross context VM structure.
8214	* @param pVCpu The cross context virtual CPU structure.
8215	*
8216	* @remarks No-long-jump zone!!!
8217	*/
8218	VMMR0DECL(int) VMXR0SaveHostState(PVM pVM, PVMCPU pVCpu)
8219	{
8220	AssertPtr(pVM);
8221	AssertPtr(pVCpu);
8222
8223	LogFlowFunc(("pVM=%p pVCpu=%p\n", pVM, pVCpu));
8224
8225	/* Save the host state here while entering HM context. When thread-context hooks are used, we might get preempted
8226	and have to resave the host state but most of the time we won't be, so do it here before we disable interrupts. */
8227	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
8228	return hmR0VmxSaveHostState(pVM, pVCpu);
8229	}
8230
8231
8232	/**
8233	* Loads the guest state into the VMCS guest-state area.
8234	*
8235	* The will typically be done before VM-entry when the guest-CPU state and the
8236	* VMCS state may potentially be out of sync.
8237	*
8238	* Sets up the VM-entry MSR-load and VM-exit MSR-store areas. Sets up the
8239	* VM-entry controls.
8240	* Sets up the appropriate VMX non-root function to execute guest code based on
8241	* the guest CPU mode.
8242	*
8243	* @returns VBox strict status code.
8244	* @retval VINF_EM_RESCHEDULE_REM if we try to emulate non-paged guest code
8245	* without unrestricted guest access and the VMMDev is not presently
8246	* mapped (e.g. EFI32).
8247	*
8248	* @param pVM The cross context VM structure.
8249	* @param pVCpu The cross context virtual CPU structure.
8250	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
8251	* out-of-sync. Make sure to update the required fields
8252	* before using them.
8253	*
8254	* @remarks No-long-jump zone!!! (Disables and enables long jmps for itself,
8255	* caller disables then again on successfull return. Confusing.)
8256	*/
8257	static VBOXSTRICTRC hmR0VmxLoadGuestState(PVM pVM, PVMCPU pVCpu, PCPUMCTX pMixedCtx)
8258	{
8259	AssertPtr(pVM);
8260	AssertPtr(pVCpu);
8261	AssertPtr(pMixedCtx);
8262	HMVMX_ASSERT_PREEMPT_SAFE();
8263
8264	VMMRZCallRing3Disable(pVCpu);
8265	Assert(VMMR0IsLogFlushDisabled(pVCpu));
8266
8267	LogFlowFunc(("pVM=%p pVCpu=%p\n", pVM, pVCpu));
8268
8269	STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatLoadGuestState, x);
8270
8271	/* Determine real-on-v86 mode. */
8272	pVCpu->hm.s.vmx.RealMode.fRealOnV86Active = false;
8273	if ( !pVM->hm.s.vmx.fUnrestrictedGuest
8274	&& CPUMIsGuestInRealModeEx(pMixedCtx))
8275	{
8276	pVCpu->hm.s.vmx.RealMode.fRealOnV86Active = true;
8277	}
8278
8279	/*
8280	* Load the guest-state into the VMCS.
8281	* Any ordering dependency among the sub-functions below must be explicitly stated using comments.
8282	* Ideally, assert that the cross-dependent bits are up-to-date at the point of using it.
8283	*/
8284	int rc = hmR0VmxSetupVMRunHandler(pVCpu, pMixedCtx);
8285	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSetupVMRunHandler! rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8286
8287	/* This needs to be done after hmR0VmxSetupVMRunHandler() as changing pfnStartVM may require VM-entry control updates. */
8288	rc = hmR0VmxLoadGuestEntryCtls(pVCpu, pMixedCtx);
8289	AssertLogRelMsgRCReturn(rc, ("hmR0VmxLoadGuestEntryCtls! rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8290
8291	/* This needs to be done after hmR0VmxSetupVMRunHandler() as changing pfnStartVM may require VM-exit control updates. */
8292	rc = hmR0VmxLoadGuestExitCtls(pVCpu, pMixedCtx);
8293	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSetupExitCtls failed! rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8294
8295	rc = hmR0VmxLoadGuestActivityState(pVCpu, pMixedCtx);
8296	AssertLogRelMsgRCReturn(rc, ("hmR0VmxLoadGuestActivityState! rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8297
8298	VBOXSTRICTRC rcStrict = hmR0VmxLoadGuestCR3AndCR4(pVCpu, pMixedCtx);
8299	if (rcStrict == VINF_SUCCESS)
8300	{ /* likely */ }
8301	else
8302	{
8303	VMMRZCallRing3Enable(pVCpu);
8304	Assert(rcStrict == VINF_EM_RESCHEDULE_REM \|\| RT_FAILURE_NP(rcStrict));
8305	return rcStrict;
8306	}
8307
8308	/* Assumes pMixedCtx->cr0 is up-to-date (strict builds require CR0 for segment register validation checks). */
8309	rc = hmR0VmxLoadGuestSegmentRegs(pVCpu, pMixedCtx);
8310	AssertLogRelMsgRCReturn(rc, ("hmR0VmxLoadGuestSegmentRegs: rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8311
8312	/* This needs to be done after hmR0VmxLoadGuestEntryCtls() and hmR0VmxLoadGuestExitCtls() as it may alter controls if we
8313	determine we don't have to swap EFER after all. */
8314	rc = hmR0VmxLoadGuestMsrs(pVCpu, pMixedCtx);
8315	AssertLogRelMsgRCReturn(rc, ("hmR0VmxLoadSharedMsrs! rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8316
8317	rc = hmR0VmxLoadGuestApicState(pVCpu, pMixedCtx);
8318	AssertLogRelMsgRCReturn(rc, ("hmR0VmxLoadGuestApicState! rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8319
8320	rc = hmR0VmxLoadGuestXcptIntercepts(pVCpu, pMixedCtx);
8321	AssertLogRelMsgRCReturn(rc, ("hmR0VmxLoadGuestXcptIntercepts! rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8322
8323	/*
8324	* Loading Rflags here is fine, even though Rflags.TF might depend on guest debug state (which is not loaded here).
8325	* It is re-evaluated and updated if necessary in hmR0VmxLoadSharedState().
8326	*/
8327	rc = hmR0VmxLoadGuestRipRspRflags(pVCpu, pMixedCtx);
8328	AssertLogRelMsgRCReturn(rc, ("hmR0VmxLoadGuestRipRspRflags! rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8329
8330	/* Clear any unused and reserved bits. */
8331	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_CR2);
8332
8333	VMMRZCallRing3Enable(pVCpu);
8334
8335	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatLoadGuestState, x);
8336	return rc;
8337	}
8338
8339
8340	/**
8341	* Loads the state shared between the host and guest into the VMCS.
8342	*
8343	* @param pVM The cross context VM structure.
8344	* @param pVCpu The cross context virtual CPU structure.
8345	* @param pCtx Pointer to the guest-CPU context.
8346	*
8347	* @remarks No-long-jump zone!!!
8348	*/
8349	static void hmR0VmxLoadSharedState(PVM pVM, PVMCPU pVCpu, PCPUMCTX pCtx)
8350	{
8351	NOREF(pVM);
8352
8353	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
8354	Assert(!VMMRZCallRing3IsEnabled(pVCpu));
8355
8356	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_CR0))
8357	{
8358	int rc = hmR0VmxLoadSharedCR0(pVCpu, pCtx);
8359	AssertRC(rc);
8360	}
8361
8362	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_DEBUG))
8363	{
8364	int rc = hmR0VmxLoadSharedDebugState(pVCpu, pCtx);
8365	AssertRC(rc);
8366
8367	/* Loading shared debug bits might have changed eflags.TF bit for debugging purposes. */
8368	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_RFLAGS))
8369	{
8370	rc = hmR0VmxLoadGuestRflags(pVCpu, pCtx);
8371	AssertRC(rc);
8372	}
8373	}
8374
8375	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_LAZY_MSRS))
8376	{
8377	hmR0VmxLazyLoadGuestMsrs(pVCpu, pCtx);
8378	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_LAZY_MSRS);
8379	}
8380
8381	/* Loading CR0, debug state might have changed intercepts, update VMCS. */
8382	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_XCPT_INTERCEPTS))
8383	{
8384	Assert(pVCpu->hm.s.vmx.u32XcptBitmap & RT_BIT_32(X86_XCPT_AC));
8385	Assert(pVCpu->hm.s.vmx.u32XcptBitmap & RT_BIT_32(X86_XCPT_DB));
8386	int rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_EXCEPTION_BITMAP, pVCpu->hm.s.vmx.u32XcptBitmap);
8387	AssertRC(rc);
8388	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_XCPT_INTERCEPTS);
8389	}
8390
8391	AssertMsg(!HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_HOST_GUEST_SHARED_STATE),
8392	("fContextUseFlags=%#RX32\n", HMCPU_CF_VALUE(pVCpu)));
8393	}
8394
8395
8396	/**
8397	* Worker for loading the guest-state bits in the inner VT-x execution loop.
8398	*
8399	* @returns Strict VBox status code (i.e. informational status codes too).
8400	* @retval VINF_EM_RESCHEDULE_REM if we try to emulate non-paged guest code
8401	* without unrestricted guest access and the VMMDev is not presently
8402	* mapped (e.g. EFI32).
8403	*
8404	* @param pVM The cross context VM structure.
8405	* @param pVCpu The cross context virtual CPU structure.
8406	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
8407	* out-of-sync. Make sure to update the required fields
8408	* before using them.
8409	*/
8410	static VBOXSTRICTRC hmR0VmxLoadGuestStateOptimal(PVM pVM, PVMCPU pVCpu, PCPUMCTX pMixedCtx)
8411	{
8412	HMVMX_ASSERT_PREEMPT_SAFE();
8413
8414	Log5(("LoadFlags=%#RX32\n", HMCPU_CF_VALUE(pVCpu)));
8415	#ifdef HMVMX_ALWAYS_SYNC_FULL_GUEST_STATE
8416	HMCPU_CF_SET(pVCpu, HM_CHANGED_ALL_GUEST);
8417	#endif
8418
8419	VBOXSTRICTRC rcStrict = VINF_SUCCESS;
8420	if (HMCPU_CF_IS_SET_ONLY(pVCpu, HM_CHANGED_GUEST_RIP))
8421	{
8422	rcStrict = hmR0VmxLoadGuestRip(pVCpu, pMixedCtx);
8423	if (RT_LIKELY(rcStrict == VINF_SUCCESS))
8424	{ /* likely */}
8425	else
8426	{
8427	AssertLogRelMsgFailedReturn(("hmR0VmxLoadGuestStateOptimal: hmR0VmxLoadGuestRip failed! rc=%Rrc\n",
8428	VBOXSTRICTRC_VAL(rcStrict)), rcStrict);
8429	}
8430	STAM_COUNTER_INC(&pVCpu->hm.s.StatLoadMinimal);
8431	}
8432	else if (HMCPU_CF_VALUE(pVCpu))
8433	{
8434	rcStrict = hmR0VmxLoadGuestState(pVM, pVCpu, pMixedCtx);
8435	if (RT_LIKELY(rcStrict == VINF_SUCCESS))
8436	{ /* likely */}
8437	else
8438	{
8439	AssertLogRelMsg(rcStrict == VINF_EM_RESCHEDULE_REM,
8440	("hmR0VmxLoadGuestStateOptimal: hmR0VmxLoadGuestState failed! rc=%Rrc\n", VBOXSTRICTRC_VAL(rcStrict)));
8441	return rcStrict;
8442	}
8443	STAM_COUNTER_INC(&pVCpu->hm.s.StatLoadFull);
8444	}
8445
8446	/* All the guest state bits should be loaded except maybe the host context and/or the shared host/guest bits. */
8447	AssertMsg( !HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_ALL_GUEST)
8448	\|\| HMCPU_CF_IS_PENDING_ONLY(pVCpu, HM_CHANGED_HOST_CONTEXT \| HM_CHANGED_HOST_GUEST_SHARED_STATE),
8449	("fContextUseFlags=%#RX32\n", HMCPU_CF_VALUE(pVCpu)));
8450	return rcStrict;
8451	}
8452
8453
8454	/**
8455	* Does the preparations before executing guest code in VT-x.
8456	*
8457	* This may cause longjmps to ring-3 and may even result in rescheduling to the
8458	* recompiler/IEM. We must be cautious what we do here regarding committing
8459	* guest-state information into the VMCS assuming we assuredly execute the
8460	* guest in VT-x mode.
8461	*
8462	* If we fall back to the recompiler/IEM after updating the VMCS and clearing
8463	* the common-state (TRPM/forceflags), we must undo those changes so that the
8464	* recompiler/IEM can (and should) use them when it resumes guest execution.
8465	* Otherwise such operations must be done when we can no longer exit to ring-3.
8466	*
8467	* @returns Strict VBox status code (i.e. informational status codes too).
8468	* @retval VINF_SUCCESS if we can proceed with running the guest, interrupts
8469	* have been disabled.
8470	* @retval VINF_EM_RESET if a triple-fault occurs while injecting a
8471	* double-fault into the guest.
8472	* @retval VINF_EM_DBG_STEPPED if @a fStepping is true and an event was
8473	* dispatched directly.
8474	* @retval VINF_* scheduling changes, we have to go back to ring-3.
8475	*
8476	* @param pVM The cross context VM structure.
8477	* @param pVCpu The cross context virtual CPU structure.
8478	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
8479	* out-of-sync. Make sure to update the required fields
8480	* before using them.
8481	* @param pVmxTransient Pointer to the VMX transient structure.
8482	* @param fStepping Set if called from hmR0VmxRunGuestCodeStep(). Makes
8483	* us ignore some of the reasons for returning to
8484	* ring-3, and return VINF_EM_DBG_STEPPED if event
8485	* dispatching took place.
8486	*/
8487	static VBOXSTRICTRC hmR0VmxPreRunGuest(PVM pVM, PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient, bool fStepping)
8488	{
8489	Assert(VMMRZCallRing3IsEnabled(pVCpu));
8490
8491	#ifdef VBOX_WITH_2X_4GB_ADDR_SPACE_IN_R0
8492	PGMRZDynMapFlushAutoSet(pVCpu);
8493	#endif
8494
8495	/* Check force flag actions that might require us to go back to ring-3. */
8496	VBOXSTRICTRC rcStrict = hmR0VmxCheckForceFlags(pVM, pVCpu, pMixedCtx, fStepping);
8497	if (rcStrict == VINF_SUCCESS)
8498	{ /* FFs doesn't get set all the time. */ }
8499	else
8500	return rcStrict;
8501
8502	#ifndef IEM_VERIFICATION_MODE_FULL
8503	/* Setup the Virtualized APIC accesses. pMixedCtx->msrApicBase is always up-to-date. It's not part of the VMCS. */
8504	if ( pVCpu->hm.s.vmx.u64MsrApicBase != pMixedCtx->msrApicBase
8505	&& (pVCpu->hm.s.vmx.u32ProcCtls2 & VMX_VMCS_CTRL_PROC_EXEC2_VIRT_APIC))
8506	{
8507	Assert(pVM->hm.s.vmx.HCPhysApicAccess);
8508	RTGCPHYS GCPhysApicBase;
8509	GCPhysApicBase = pMixedCtx->msrApicBase;
8510	GCPhysApicBase &= PAGE_BASE_GC_MASK;
8511
8512	/* Unalias any existing mapping. */
8513	int rc = PGMHandlerPhysicalReset(pVM, GCPhysApicBase);
8514	AssertRCReturn(rc, rc);
8515
8516	/* Map the HC APIC-access page into the GC space, this also updates the shadow page tables if necessary. */
8517	Log4(("Mapped HC APIC-access page into GC: GCPhysApicBase=%#RGp\n", GCPhysApicBase));
8518	rc = IOMMMIOMapMMIOHCPage(pVM, pVCpu, GCPhysApicBase, pVM->hm.s.vmx.HCPhysApicAccess, X86_PTE_RW \| X86_PTE_P);
8519	AssertRCReturn(rc, rc);
8520
8521	pVCpu->hm.s.vmx.u64MsrApicBase = pMixedCtx->msrApicBase;
8522	}
8523	#endif /* !IEM_VERIFICATION_MODE_FULL */
8524
8525	if (TRPMHasTrap(pVCpu))
8526	hmR0VmxTrpmTrapToPendingEvent(pVCpu);
8527	uint32_t uIntrState = hmR0VmxEvaluatePendingEvent(pVCpu, pMixedCtx);
8528
8529	/*
8530	* Event injection may take locks (currently the PGM lock for real-on-v86 case) and thus needs to be done with
8531	* longjmps or interrupts + preemption enabled. Event injection might also result in triple-faulting the VM.
8532	*/
8533	rcStrict = hmR0VmxInjectPendingEvent(pVCpu, pMixedCtx, uIntrState, fStepping);
8534	if (RT_LIKELY(rcStrict == VINF_SUCCESS))
8535	{ /* likely */ }
8536	else
8537	{
8538	AssertMsg(rcStrict == VINF_EM_RESET \|\| (rcStrict == VINF_EM_DBG_STEPPED && fStepping),
8539	("%Rrc\n", VBOXSTRICTRC_VAL(rcStrict)));
8540	return rcStrict;
8541	}
8542
8543	/*
8544	* Load the guest state bits, we can handle longjmps/getting preempted here.
8545	*
8546	* If we are injecting events to a real-on-v86 mode guest, we will have to update
8547	* RIP and some segment registers, i.e. hmR0VmxInjectPendingEvent()->hmR0VmxInjectEventVmcs().
8548	* Hence, this needs to be done -after- injection of events.
8549	*/
8550	rcStrict = hmR0VmxLoadGuestStateOptimal(pVM, pVCpu, pMixedCtx);
8551	if (RT_LIKELY(rcStrict == VINF_SUCCESS))
8552	{ /* likely */ }
8553	else
8554	return rcStrict;
8555
8556	/*
8557	* No longjmps to ring-3 from this point on!!!
8558	* Asserts() will still longjmp to ring-3 (but won't return), which is intentional, better than a kernel panic.
8559	* This also disables flushing of the R0-logger instance (if any).
8560	*/
8561	VMMRZCallRing3Disable(pVCpu);
8562
8563	/*
8564	* We disable interrupts so that we don't miss any interrupts that would flag preemption (IPI/timers etc.)
8565	* when thread-context hooks aren't used and we've been running with preemption disabled for a while.
8566	*
8567	* We need to check for force-flags that could've possible been altered since we last checked them (e.g.
8568	* by PDMGetInterrupt() leaving the PDM critical section, see @bugref{6398}).
8569	*
8570	* We also check a couple of other force-flags as a last opportunity to get the EMT back to ring-3 before
8571	* executing guest code.
8572	*/
8573	pVmxTransient->fEFlags = ASMIntDisableFlags();
8574
8575	if ( ( !VM_FF_IS_PENDING(pVM, VM_FF_EMT_RENDEZVOUS \| VM_FF_TM_VIRTUAL_SYNC)
8576	&& !VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_TO_R3_MASK))
8577	\|\| ( fStepping /* Optimized for the non-stepping case, so a bit of unnecessary work when stepping. */
8578	&& !VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_TO_R3_MASK & ~(VMCPU_FF_TIMER \| VMCPU_FF_PDM_CRITSECT))) )
8579	{
8580	if (!RTThreadPreemptIsPending(NIL_RTTHREAD))
8581	{
8582	/* We've injected any pending events. This is really the point of no return (to ring-3). */
8583	pVCpu->hm.s.Event.fPending = false;
8584
8585	return VINF_SUCCESS;
8586	}
8587
8588	STAM_COUNTER_INC(&pVCpu->hm.s.StatPendingHostIrq);
8589	rcStrict = VINF_EM_RAW_INTERRUPT;
8590	}
8591	else
8592	{
8593	STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchHmToR3FF);
8594	rcStrict = VINF_EM_RAW_TO_R3;
8595	}
8596
8597	ASMSetFlags(pVmxTransient->fEFlags);
8598	VMMRZCallRing3Enable(pVCpu);
8599
8600	return rcStrict;
8601	}
8602
8603
8604	/**
8605	* Prepares to run guest code in VT-x and we've committed to doing so. This
8606	* means there is no backing out to ring-3 or anywhere else at this
8607	* point.
8608	*
8609	* @param pVM The cross context VM structure.
8610	* @param pVCpu The cross context virtual CPU structure.
8611	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
8612	* out-of-sync. Make sure to update the required fields
8613	* before using them.
8614	* @param pVmxTransient Pointer to the VMX transient structure.
8615	*
8616	* @remarks Called with preemption disabled.
8617	* @remarks No-long-jump zone!!!
8618	*/
8619	static void hmR0VmxPreRunGuestCommitted(PVM pVM, PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
8620	{
8621	Assert(!VMMRZCallRing3IsEnabled(pVCpu));
8622	Assert(VMMR0IsLogFlushDisabled(pVCpu));
8623	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
8624
8625	/*
8626	* Indicate start of guest execution and where poking EMT out of guest-context is recognized.
8627	*/
8628	VMCPU_ASSERT_STATE(pVCpu, VMCPUSTATE_STARTED_HM);
8629	VMCPU_SET_STATE(pVCpu, VMCPUSTATE_STARTED_EXEC);
8630
8631	#ifdef HMVMX_ALWAYS_SWAP_FPU_STATE
8632	if (!CPUMIsGuestFPUStateActive(pVCpu))
8633	if (CPUMR0LoadGuestFPU(pVM, pVCpu) == VINF_CPUM_HOST_CR0_MODIFIED)
8634	HMCPU_CF_SET(pVCpu, HM_CHANGED_HOST_CONTEXT);
8635	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_CR0);
8636	#endif
8637
8638	if ( pVCpu->hm.s.fPreloadGuestFpu
8639	&& !CPUMIsGuestFPUStateActive(pVCpu))
8640	{
8641	if (CPUMR0LoadGuestFPU(pVM, pVCpu) == VINF_CPUM_HOST_CR0_MODIFIED)
8642	HMCPU_CF_SET(pVCpu, HM_CHANGED_HOST_CONTEXT);
8643	Assert(HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_CR0));
8644	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_CR0);
8645	}
8646
8647	/*
8648	* Lazy-update of the host MSRs values in the auto-load/store MSR area.
8649	*/
8650	if ( !pVCpu->hm.s.vmx.fUpdatedHostMsrs
8651	&& pVCpu->hm.s.vmx.cMsrs > 0)
8652	{
8653	hmR0VmxUpdateAutoLoadStoreHostMsrs(pVCpu);
8654	}
8655
8656	/*
8657	* Load the host state bits as we may've been preempted (only happens when
8658	* thread-context hooks are used or when hmR0VmxSetupVMRunHandler() changes pfnStartVM).
8659	*/
8660	/** @todo Why should hmR0VmxSetupVMRunHandler() changing pfnStartVM have
8661	* any effect to the host state needing to be saved? */
8662	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_HOST_CONTEXT))
8663	{
8664	/* This ASSUMES that pfnStartVM has been set up already. */
8665	int rc = hmR0VmxSaveHostState(pVM, pVCpu);
8666	AssertRC(rc);
8667	STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchPreemptSaveHostState);
8668	}
8669	Assert(!HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_HOST_CONTEXT));
8670
8671	/*
8672	* Load the state shared between host and guest (FPU, debug, lazy MSRs).
8673	*/
8674	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_HOST_GUEST_SHARED_STATE))
8675	hmR0VmxLoadSharedState(pVM, pVCpu, pMixedCtx);
8676	AssertMsg(!HMCPU_CF_VALUE(pVCpu), ("fContextUseFlags=%#RX32\n", HMCPU_CF_VALUE(pVCpu)));
8677
8678	/* Store status of the shared guest-host state at the time of VM-entry. */
8679	#if HC_ARCH_BITS == 32 && defined(VBOX_WITH_64_BITS_GUESTS)
8680	if (CPUMIsGuestInLongModeEx(pMixedCtx))
8681	{
8682	pVmxTransient->fWasGuestDebugStateActive = CPUMIsGuestDebugStateActivePending(pVCpu);
8683	pVmxTransient->fWasHyperDebugStateActive = CPUMIsHyperDebugStateActivePending(pVCpu);
8684	}
8685	else
8686	#endif
8687	{
8688	pVmxTransient->fWasGuestDebugStateActive = CPUMIsGuestDebugStateActive(pVCpu);
8689	pVmxTransient->fWasHyperDebugStateActive = CPUMIsHyperDebugStateActive(pVCpu);
8690	}
8691	pVmxTransient->fWasGuestFPUStateActive = CPUMIsGuestFPUStateActive(pVCpu);
8692
8693	/*
8694	* Cache the TPR-shadow for checking on every VM-exit if it might have changed.
8695	*/
8696	if (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_TPR_SHADOW)
8697	pVmxTransient->u8GuestTpr = pVCpu->hm.s.vmx.pbVirtApic[0x80];
8698
8699	PHMGLOBALCPUINFO pCpu = HMR0GetCurrentCpu();
8700	RTCPUID idCurrentCpu = pCpu->idCpu;
8701	if ( pVmxTransient->fUpdateTscOffsettingAndPreemptTimer
8702	\|\| idCurrentCpu != pVCpu->hm.s.idLastCpu)
8703	{
8704	hmR0VmxUpdateTscOffsettingAndPreemptTimer(pVM, pVCpu);
8705	pVmxTransient->fUpdateTscOffsettingAndPreemptTimer = false;
8706	}
8707
8708	ASMAtomicWriteBool(&pVCpu->hm.s.fCheckedTLBFlush, true); /* Used for TLB flushing, set this across the world switch. */
8709	hmR0VmxFlushTaggedTlb(pVCpu, pCpu); /* Invalidate the appropriate guest entries from the TLB. */
8710	Assert(idCurrentCpu == pVCpu->hm.s.idLastCpu);
8711	pVCpu->hm.s.vmx.LastError.idCurrentCpu = idCurrentCpu; /* Update the error reporting info. with the current host CPU. */
8712
8713	STAM_PROFILE_ADV_STOP_START(&pVCpu->hm.s.StatEntry, &pVCpu->hm.s.StatInGC, x);
8714
8715	TMNotifyStartOfExecution(pVCpu); /* Finally, notify TM to resume its clocks as we're about
8716	to start executing. */
8717
8718	/*
8719	* Load the TSC_AUX MSR when we are not intercepting RDTSCP.
8720	*/
8721	if (pVCpu->hm.s.vmx.u32ProcCtls2 & VMX_VMCS_CTRL_PROC_EXEC2_RDTSCP)
8722	{
8723	if (!(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_RDTSC_EXIT))
8724	{
8725	bool fMsrUpdated;
8726	int rc2 = hmR0VmxSaveGuestAutoLoadStoreMsrs(pVCpu, pMixedCtx);
8727	AssertRC(rc2);
8728	Assert(HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_AUTO_LOAD_STORE_MSRS));
8729
8730	rc2 = hmR0VmxAddAutoLoadStoreMsr(pVCpu, MSR_K8_TSC_AUX, CPUMR0GetGuestTscAux(pVCpu), true /* fUpdateHostMsr */,
8731	&fMsrUpdated);
8732	AssertRC(rc2);
8733	Assert(fMsrUpdated \|\| pVCpu->hm.s.vmx.fUpdatedHostMsrs);
8734
8735	/* Finally, mark that all host MSR values are updated so we don't redo it without leaving VT-x. See @bugref{6956}. */
8736	pVCpu->hm.s.vmx.fUpdatedHostMsrs = true;
8737	}
8738	else
8739	{
8740	hmR0VmxRemoveAutoLoadStoreMsr(pVCpu, MSR_K8_TSC_AUX);
8741	Assert(!pVCpu->hm.s.vmx.cMsrs \|\| pVCpu->hm.s.vmx.fUpdatedHostMsrs);
8742	}
8743	}
8744
8745	#ifdef VBOX_STRICT
8746	hmR0VmxCheckAutoLoadStoreMsrs(pVCpu);
8747	hmR0VmxCheckHostEferMsr(pVCpu);
8748	AssertRC(hmR0VmxCheckVmcsCtls(pVCpu));
8749	#endif
8750	#ifdef HMVMX_ALWAYS_CHECK_GUEST_STATE
8751	uint32_t uInvalidReason = hmR0VmxCheckGuestState(pVM, pVCpu, pMixedCtx);
8752	if (uInvalidReason != VMX_IGS_REASON_NOT_FOUND)
8753	Log4(("hmR0VmxCheckGuestState returned %#x\n", uInvalidReason));
8754	#endif
8755	}
8756
8757
8758	/**
8759	* Performs some essential restoration of state after running guest code in
8760	* VT-x.
8761	*
8762	* @param pVM The cross context VM structure.
8763	* @param pVCpu The cross context virtual CPU structure.
8764	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
8765	* out-of-sync. Make sure to update the required fields
8766	* before using them.
8767	* @param pVmxTransient Pointer to the VMX transient structure.
8768	* @param rcVMRun Return code of VMLAUNCH/VMRESUME.
8769	*
8770	* @remarks Called with interrupts disabled, and returns with interrupts enabled!
8771	*
8772	* @remarks No-long-jump zone!!! This function will however re-enable longjmps
8773	* unconditionally when it is safe to do so.
8774	*/
8775	static void hmR0VmxPostRunGuest(PVM pVM, PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient, int rcVMRun)
8776	{
8777	NOREF(pVM);
8778
8779	Assert(!VMMRZCallRing3IsEnabled(pVCpu));
8780
8781	ASMAtomicWriteBool(&pVCpu->hm.s.fCheckedTLBFlush, false); /* See HMInvalidatePageOnAllVCpus(): used for TLB flushing. */
8782	ASMAtomicIncU32(&pVCpu->hm.s.cWorldSwitchExits); /* Initialized in vmR3CreateUVM(): used for EMT poking. */
8783	HMVMXCPU_GST_RESET_TO(pVCpu, 0); /* Exits/longjmps to ring-3 requires saving the guest state. */
8784	pVmxTransient->fVmcsFieldsRead = 0; /* Transient fields need to be read from the VMCS. */
8785	pVmxTransient->fVectoringPF = false; /* Vectoring page-fault needs to be determined later. */
8786	pVmxTransient->fVectoringDoublePF = false; /* Vectoring double page-fault needs to be determined later. */
8787
8788	if (!(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_RDTSC_EXIT))
8789	TMCpuTickSetLastSeen(pVCpu, ASMReadTSC() + pVCpu->hm.s.vmx.u64TSCOffset);
8790
8791	STAM_PROFILE_ADV_STOP_START(&pVCpu->hm.s.StatInGC, &pVCpu->hm.s.StatExit1, x);
8792	TMNotifyEndOfExecution(pVCpu); /* Notify TM that the guest is no longer running. */
8793	Assert(!ASMIntAreEnabled());
8794	VMCPU_SET_STATE(pVCpu, VMCPUSTATE_STARTED_HM);
8795
8796	#ifdef HMVMX_ALWAYS_SWAP_FPU_STATE
8797	if (CPUMR0FpuStateMaybeSaveGuestAndRestoreHost(pVM, pVCpu))
8798	{
8799	hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
8800	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_CR0);
8801	}
8802	#endif
8803
8804	#if HC_ARCH_BITS == 64
8805	pVCpu->hm.s.vmx.fRestoreHostFlags \|= VMX_RESTORE_HOST_REQUIRED; /* Host state messed up by VT-x, we must restore. */
8806	#endif
8807	pVCpu->hm.s.vmx.uVmcsState \|= HMVMX_VMCS_STATE_LAUNCHED; /* Use VMRESUME instead of VMLAUNCH in the next run. */
8808	#ifdef VBOX_STRICT
8809	hmR0VmxCheckHostEferMsr(pVCpu); /* Verify that VMRUN/VMLAUNCH didn't modify host EFER. */
8810	#endif
8811	ASMSetFlags(pVmxTransient->fEFlags); /* Enable interrupts. */
8812	VMMRZCallRing3Enable(pVCpu); /* It is now safe to do longjmps to ring-3!!! */
8813
8814	/* Save the basic VM-exit reason. Refer Intel spec. 24.9.1 "Basic VM-exit Information". */
8815	uint32_t uExitReason;
8816	int rc = VMXReadVmcs32(VMX_VMCS32_RO_EXIT_REASON, &uExitReason);
8817	rc \|= hmR0VmxReadEntryIntInfoVmcs(pVmxTransient);
8818	AssertRC(rc);
8819	pVmxTransient->uExitReason = (uint16_t)VMX_EXIT_REASON_BASIC(uExitReason);
8820	pVmxTransient->fVMEntryFailed = VMX_ENTRY_INTERRUPTION_INFO_IS_VALID(pVmxTransient->uEntryIntInfo);
8821
8822	/* Update the VM-exit history array. */
8823	HMCPU_EXIT_HISTORY_ADD(pVCpu, pVmxTransient->uExitReason);
8824
8825	/* If the VMLAUNCH/VMRESUME failed, we can bail out early. This does -not- cover VMX_EXIT_ERR_. /
8826	if (RT_UNLIKELY(rcVMRun != VINF_SUCCESS))
8827	{
8828	Log4(("VM-entry failure: pVCpu=%p idCpu=%RU32 rcVMRun=%Rrc fVMEntryFailed=%RTbool\n", pVCpu, pVCpu->idCpu, rcVMRun,
8829	pVmxTransient->fVMEntryFailed));
8830	return;
8831	}
8832
8833	if (RT_LIKELY(!pVmxTransient->fVMEntryFailed))
8834	{
8835	/** @todo We can optimize this by only syncing with our force-flags when
8836	* really needed and keeping the VMCS state as it is for most
8837	* VM-exits. */
8838	/* Update the guest interruptibility-state from the VMCS. */
8839	hmR0VmxSaveGuestIntrState(pVCpu, pMixedCtx);
8840
8841	#if defined(HMVMX_ALWAYS_SYNC_FULL_GUEST_STATE) \|\| defined(HMVMX_ALWAYS_SAVE_FULL_GUEST_STATE)
8842	rc = hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
8843	AssertRC(rc);
8844	#elif defined(HMVMX_ALWAYS_SAVE_GUEST_RFLAGS)
8845	rc = hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx);
8846	AssertRC(rc);
8847	#endif
8848
8849	/*
8850	* If the TPR was raised by the guest, it wouldn't cause a VM-exit immediately. Instead we sync the TPR lazily whenever
8851	* we eventually get a VM-exit for any reason. This maybe expensive as PDMApicSetTPR() can longjmp to ring-3 and which is
8852	* why it's done here as it's easier and no less efficient to deal with it here than making hmR0VmxSaveGuestState()
8853	* cope with longjmps safely (see VMCPU_FF_HM_UPDATE_CR3 handling).
8854	*/
8855	if ( (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_TPR_SHADOW)
8856	&& pVmxTransient->u8GuestTpr != pVCpu->hm.s.vmx.pbVirtApic[0x80])
8857	{
8858	rc = PDMApicSetTPR(pVCpu, pVCpu->hm.s.vmx.pbVirtApic[0x80]);
8859	AssertRC(rc);
8860	HMCPU_CF_SET(pVCpu, HM_CHANGED_VMX_GUEST_APIC_STATE);
8861	}
8862	}
8863	}
8864
8865
8866	/**
8867	* Runs the guest code using VT-x the normal way.
8868	*
8869	* @returns VBox status code.
8870	* @param pVM The cross context VM structure.
8871	* @param pVCpu The cross context virtual CPU structure.
8872	* @param pCtx Pointer to the guest-CPU context.
8873	*
8874	* @note Mostly the same as hmR0VmxRunGuestCodeStep().
8875	*/
8876	static VBOXSTRICTRC hmR0VmxRunGuestCodeNormal(PVM pVM, PVMCPU pVCpu, PCPUMCTX pCtx)
8877	{
8878	VMXTRANSIENT VmxTransient;
8879	VmxTransient.fUpdateTscOffsettingAndPreemptTimer = true;
8880	VBOXSTRICTRC rcStrict = VERR_INTERNAL_ERROR_5;
8881	uint32_t cLoops = 0;
8882
8883	for (;; cLoops++)
8884	{
8885	Assert(!HMR0SuspendPending());
8886	HMVMX_ASSERT_CPU_SAFE();
8887
8888	/* Preparatory work for running guest code, this may force us to return
8889	to ring-3. This bugger disables interrupts on VINF_SUCCESS! */
8890	STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatEntry, x);
8891	rcStrict = hmR0VmxPreRunGuest(pVM, pVCpu, pCtx, &VmxTransient, false /* fStepping */);
8892	if (rcStrict != VINF_SUCCESS)
8893	break;
8894
8895	hmR0VmxPreRunGuestCommitted(pVM, pVCpu, pCtx, &VmxTransient);
8896	int rcRun = hmR0VmxRunGuest(pVM, pVCpu, pCtx);
8897	/* The guest-CPU context is now outdated, 'pCtx' is to be treated as 'pMixedCtx' from this point on!!! */
8898
8899	/* Restore any residual host-state and save any bits shared between host
8900	and guest into the guest-CPU state. Re-enables interrupts! */
8901	hmR0VmxPostRunGuest(pVM, pVCpu, pCtx, &VmxTransient, VBOXSTRICTRC_TODO(rcStrict));
8902
8903	/* Check for errors with running the VM (VMLAUNCH/VMRESUME). */
8904	if (RT_SUCCESS(rcRun))
8905	{ /* very likely */ }
8906	else
8907	{
8908	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExit1, x);
8909	hmR0VmxReportWorldSwitchError(pVM, pVCpu, rcRun, pCtx, &VmxTransient);
8910	return rcRun;
8911	}
8912
8913	/* Profile the VM-exit. */
8914	AssertMsg(VmxTransient.uExitReason <= VMX_EXIT_MAX, ("%#x\n", VmxTransient.uExitReason));
8915	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitAll);
8916	STAM_COUNTER_INC(&pVCpu->hm.s.paStatExitReasonR0[VmxTransient.uExitReason & MASK_EXITREASON_STAT]);
8917	STAM_PROFILE_ADV_STOP_START(&pVCpu->hm.s.StatExit1, &pVCpu->hm.s.StatExit2, x);
8918	HMVMX_START_EXIT_DISPATCH_PROF();
8919
8920	VBOXVMM_R0_HMVMX_VMEXIT_NOCTX(pVCpu, pCtx, VmxTransient.uExitReason);
8921
8922	/* Handle the VM-exit. */
8923	#ifdef HMVMX_USE_FUNCTION_TABLE
8924	rcStrict = g_apfnVMExitHandlers[VmxTransient.uExitReason](pVCpu, pCtx, &VmxTransient);
8925	#else
8926	rcStrict = hmR0VmxHandleExit(pVCpu, pCtx, &VmxTransient, VmxTransient.uExitReason);
8927	#endif
8928	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExit2, x);
8929	if (rcStrict == VINF_SUCCESS)
8930	{
8931	if (cLoops <= pVM->hm.s.cMaxResumeLoops)
8932	continue; /* likely */
8933	STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchMaxResumeLoops);
8934	rcStrict = VINF_EM_RAW_INTERRUPT;
8935	}
8936	break;
8937	}
8938
8939	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatEntry, x);
8940	return rcStrict;
8941	}
8942
8943
8944
8945	/** @name Execution loop for single stepping, DBGF events and expensive Dtrace
8946	* probes.
8947	*
8948	* The following few functions and associated structure contains the bloat
8949	* necessary for providing detailed debug events and dtrace probes as well as
8950	* reliable host side single stepping. This works on the principle of
8951	* "subclassing" the normal execution loop and workers. We replace the loop
8952	* method completely and override selected helpers to add necessary adjustments
8953	* to their core operation.
8954	*
8955	* The goal is to keep the "parent" code lean and mean, so as not to sacrifice
8956	* any performance for debug and analysis features.
8957	*
8958	* @{
8959	*/
8960
8961	typedef struct VMXRUNDBGSTATE
8962	{
8963	/** The RIP we started executing at. This is for detecting that we stepped. */
8964	uint64_t uRipStart;
8965	/** The CS we started executing with. */
8966	uint16_t uCsStart;
8967
8968	/** Whether we've actually modified the 1st execution control field. */
8969	bool fModifiedProcCtls : 1;
8970	/** Whether we've actually modified the 2nd execution control field. */
8971	bool fModifiedProcCtls2 : 1;
8972	/** Whether we've actually modified the exception bitmap. */
8973	bool fModifiedXcptBitmap : 1;
8974
8975	/** We desire the modified the CR0 mask to be cleared. */
8976	bool fClearCr0Mask : 1;
8977	/** We desire the modified the CR4 mask to be cleared. */
8978	bool fClearCr4Mask : 1;
8979	/** Stuff we need in VMX_VMCS32_CTRL_PROC_EXEC. */
8980	uint32_t fCpe1Extra;
8981	/** Stuff we do not want in VMX_VMCS32_CTRL_PROC_EXEC. */
8982	uint32_t fCpe1Unwanted;
8983	/** Stuff we need in VMX_VMCS32_CTRL_PROC_EXEC2. */
8984	uint32_t fCpe2Extra;
8985	/** Extra stuff we need in */
8986	uint32_t bmXcptExtra;
8987	/** The sequence number of the Dtrace provider settings the state was
8988	* configured against. */
8989	uint32_t uDtraceSettingsSeqNo;
8990	/** Exits to check (one bit per exit). */
8991	uint32_t bmExitsToCheck[3];
8992
8993	/** The initial VMX_VMCS32_CTRL_PROC_EXEC value (helps with restore). */
8994	uint32_t fProcCtlsInitial;
8995	/** The initial VMX_VMCS32_CTRL_PROC_EXEC2 value (helps with restore). */
8996	uint32_t fProcCtls2Initial;
8997	/** The initial VMX_VMCS32_CTRL_EXCEPTION_BITMAP value (helps with restore). */
8998	uint32_t bmXcptInitial;
8999	} VMXRUNDBGSTATE;
9000	AssertCompileMemberSize(VMXRUNDBGSTATE, bmExitsToCheck, (VMX_EXIT_MAX + 1 + 31) / 32 * 4);
9001	typedef VMXRUNDBGSTATE *PVMXRUNDBGSTATE;
9002
9003
9004	/**
9005	* Initializes the VMXRUNDBGSTATE structure.
9006	*
9007	* @param pVCpu The cross context virtual CPU structure of the
9008	* calling EMT.
9009	* @param pCtx The CPU register context to go with @a pVCpu.
9010	* @param pDbgState The structure to initialize.
9011	*/
9012	DECLINLINE(void) hmR0VmxRunDebugStateInit(PVMCPU pVCpu, PCCPUMCTX pCtx, PVMXRUNDBGSTATE pDbgState)
9013	{
9014	pDbgState->uRipStart = pCtx->rip;
9015	pDbgState->uCsStart = pCtx->cs.Sel;
9016
9017	pDbgState->fModifiedProcCtls = false;
9018	pDbgState->fModifiedProcCtls2 = false;
9019	pDbgState->fModifiedXcptBitmap = false;
9020	pDbgState->fClearCr0Mask = false;
9021	pDbgState->fClearCr4Mask = false;
9022	pDbgState->fCpe1Extra = 0;
9023	pDbgState->fCpe1Unwanted = 0;
9024	pDbgState->fCpe2Extra = 0;
9025	pDbgState->bmXcptExtra = 0;
9026	pDbgState->fProcCtlsInitial = pVCpu->hm.s.vmx.u32ProcCtls;
9027	pDbgState->fProcCtls2Initial = pVCpu->hm.s.vmx.u32ProcCtls2;
9028	pDbgState->bmXcptInitial = pVCpu->hm.s.vmx.u32XcptBitmap;
9029	}
9030
9031
9032	/**
9033	* Updates the VMSC fields with changes requested by @a pDbgState.
9034	*
9035	* This is performed after hmR0VmxPreRunGuestDebugStateUpdate as well
9036	* immediately before executing guest code, i.e. when interrupts are disabled.
9037	* We don't check status codes here as we cannot easily assert or return in the
9038	* latter case.
9039	*
9040	* @param pVCpu The cross context virtual CPU structure.
9041	* @param pDbgState The debug state.
9042	*/
9043	DECLINLINE(void) hmR0VmxPreRunGuestDebugStateApply(PVMCPU pVCpu, PVMXRUNDBGSTATE pDbgState)
9044	{
9045	/*
9046	* Ensure desired flags in VMCS control fields are set.
9047	* (Ignoring write failure here, as we're committed and it's just debug extras.)
9048	*
9049	* Note! We load the shadow CR0 & CR4 bits when we flag the clearing, so
9050	* there should be no stale data in pCtx at this point.
9051	*/
9052	if ( (pVCpu->hm.s.vmx.u32ProcCtls & pDbgState->fCpe1Extra) != pDbgState->fCpe1Extra
9053	\|\| (pVCpu->hm.s.vmx.u32ProcCtls & pDbgState->fCpe1Unwanted))
9054	{
9055	pVCpu->hm.s.vmx.u32ProcCtls \|= pDbgState->fCpe1Extra;
9056	pVCpu->hm.s.vmx.u32ProcCtls &= ~pDbgState->fCpe1Unwanted;
9057	VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls);
9058	Log6(("hmR0VmxRunDebugStateRevert: VMX_VMCS32_CTRL_PROC_EXEC: %#RX32\n", pVCpu->hm.s.vmx.u32ProcCtls));
9059	pDbgState->fModifiedProcCtls = true;
9060	}
9061
9062	if ((pVCpu->hm.s.vmx.u32ProcCtls2 & pDbgState->fCpe2Extra) != pDbgState->fCpe2Extra)
9063	{
9064	pVCpu->hm.s.vmx.u32ProcCtls2 \|= pDbgState->fCpe2Extra;
9065	VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC2, pVCpu->hm.s.vmx.u32ProcCtls2);
9066	Log6(("hmR0VmxRunDebugStateRevert: VMX_VMCS32_CTRL_PROC_EXEC2: %#RX32\n", pVCpu->hm.s.vmx.u32ProcCtls2));
9067	pDbgState->fModifiedProcCtls2 = true;
9068	}
9069
9070	if ((pVCpu->hm.s.vmx.u32XcptBitmap & pDbgState->bmXcptExtra) != pDbgState->bmXcptExtra)
9071	{
9072	pVCpu->hm.s.vmx.u32XcptBitmap \|= pDbgState->bmXcptExtra;
9073	VMXWriteVmcs32(VMX_VMCS32_CTRL_EXCEPTION_BITMAP, pVCpu->hm.s.vmx.u32XcptBitmap);
9074	Log6(("hmR0VmxRunDebugStateRevert: VMX_VMCS32_CTRL_EXCEPTION_BITMAP: %#RX32\n", pVCpu->hm.s.vmx.u32XcptBitmap));
9075	pDbgState->fModifiedXcptBitmap = true;
9076	}
9077
9078	if (pDbgState->fClearCr0Mask && pVCpu->hm.s.vmx.u32CR0Mask != 0)
9079	{
9080	pVCpu->hm.s.vmx.u32CR0Mask = 0;
9081	VMXWriteVmcs32(VMX_VMCS_CTRL_CR0_MASK, 0);
9082	Log6(("hmR0VmxRunDebugStateRevert: VMX_VMCS_CTRL_CR0_MASK: 0\n"));
9083	}
9084
9085	if (pDbgState->fClearCr4Mask && pVCpu->hm.s.vmx.u32CR4Mask != 0)
9086	{
9087	pVCpu->hm.s.vmx.u32CR4Mask = 0;
9088	VMXWriteVmcs32(VMX_VMCS_CTRL_CR4_MASK, 0);
9089	Log6(("hmR0VmxRunDebugStateRevert: VMX_VMCS_CTRL_CR4_MASK: 0\n"));
9090	}
9091	}
9092
9093
9094	DECLINLINE(VBOXSTRICTRC) hmR0VmxRunDebugStateRevert(PVMCPU pVCpu, PVMXRUNDBGSTATE pDbgState, VBOXSTRICTRC rcStrict)
9095	{
9096	/*
9097	* Restore exit control settings as we may not reenter this function the
9098	* next time around.
9099	*/
9100	/* We reload the initial value, trigger what we can of recalculations the
9101	next time around. From the looks of things, that's all that's required atm. */
9102	if (pDbgState->fModifiedProcCtls)
9103	{
9104	if (!(pDbgState->fProcCtlsInitial & VMX_VMCS_CTRL_PROC_EXEC_MOV_DR_EXIT) && CPUMIsHyperDebugStateActive(pVCpu))
9105	pDbgState->fProcCtlsInitial \|= VMX_VMCS_CTRL_PROC_EXEC_MOV_DR_EXIT; /* Avoid assertion in hmR0VmxLeave */
9106	int rc2 = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pDbgState->fProcCtlsInitial);
9107	AssertRCReturn(rc2, rc2);
9108	pVCpu->hm.s.vmx.u32ProcCtls = pDbgState->fProcCtlsInitial;
9109	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_CR0 \| HM_CHANGED_GUEST_DEBUG);
9110	}
9111
9112	/* We're currently the only ones messing with this one, so just restore the
9113	cached value and reload the field. */
9114	if ( pDbgState->fModifiedProcCtls2
9115	&& pVCpu->hm.s.vmx.u32ProcCtls2 != pDbgState->fProcCtls2Initial)
9116	{
9117	int rc2 = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC2, pDbgState->fProcCtls2Initial);
9118	AssertRCReturn(rc2, rc2);
9119	pVCpu->hm.s.vmx.u32ProcCtls2 = pDbgState->fProcCtls2Initial;
9120	}
9121
9122	/* If we've modified the exception bitmap, we restore it and trigger
9123	reloading and partial recalculation the next time around. */
9124	if (pDbgState->fModifiedXcptBitmap)
9125	{
9126	pVCpu->hm.s.vmx.u32XcptBitmap = pDbgState->bmXcptInitial;
9127	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_XCPT_INTERCEPTS \| HM_CHANGED_GUEST_CR0);
9128	}
9129
9130	/* We assume hmR0VmxLoadSharedCR0 will recalculate and load the CR0 mask. */
9131	if (pDbgState->fClearCr0Mask)
9132	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_CR0);
9133
9134	/* We assume hmR0VmxLoadGuestCR3AndCR4 will recalculate and load the CR4 mask. */
9135	if (pDbgState->fClearCr4Mask)
9136	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_CR4);
9137
9138	return rcStrict;
9139	}
9140
9141
9142	/**
9143	* Configures VM-exit controls for current DBGF and DTrace settings.
9144	*
9145	* This updates @a pDbgState and the VMCS execution control fields to reflect
9146	* the necessary exits demanded by DBGF and DTrace.
9147	*
9148	* @param pVM The cross context VM structure.
9149	* @param pVCpu The cross context virtual CPU structure.
9150	* @param pCtx Pointer to the guest-CPU context.
9151	* @param pDbgState The debug state.
9152	* @param pVmxTransient Pointer to the VMX transient structure. May update
9153	* fUpdateTscOffsettingAndPreemptTimer.
9154	*/
9155	static void hmR0VmxPreRunGuestDebugStateUpdate(PVM pVM, PVMCPU pVCpu, PCPUMCTX pCtx,
9156	PVMXRUNDBGSTATE pDbgState, PVMXTRANSIENT pVmxTransient)
9157	{
9158	/*
9159	* Take down the dtrace serial number so we can spot changes.
9160	*/
9161	pDbgState->uDtraceSettingsSeqNo = VBOXVMM_GET_SETTINGS_SEQ_NO();
9162	ASMCompilerBarrier();
9163
9164	/*
9165	* We'll rebuild most of the middle block of data members (holding the
9166	* current settings) as we go along here, so start by clearing it all.
9167	*/
9168	pDbgState->bmXcptExtra = 0;
9169	pDbgState->fCpe1Extra = 0;
9170	pDbgState->fCpe1Unwanted = 0;
9171	pDbgState->fCpe2Extra = 0;
9172	for (unsigned i = 0; i < RT_ELEMENTS(pDbgState->bmExitsToCheck); i++)
9173	pDbgState->bmExitsToCheck[i] = 0;
9174
9175	/*
9176	* Software interrupts (INT XXh) - no idea how to trigger these...
9177	*/
9178	if ( DBGF_IS_EVENT_ENABLED(pVM, DBGFEVENT_INTERRUPT_SOFTWARE)
9179	\|\| VBOXVMM_INT_SOFTWARE_ENABLED())
9180	{
9181	ASMBitSet(pDbgState->bmExitsToCheck, VMX_EXIT_XCPT_OR_NMI);
9182	}
9183
9184	/*
9185	* Exception bitmap and XCPT events+probes.
9186	*/
9187	for (int iXcpt = 0; iXcpt < (DBGFEVENT_XCPT_LAST - DBGFEVENT_XCPT_FIRST + 1); iXcpt++)
9188	if (DBGF_IS_EVENT_ENABLED(pVM, (DBGFEVENTTYPE)(DBGFEVENT_XCPT_FIRST + iXcpt)))
9189	pDbgState->bmXcptExtra \|= RT_BIT_32(iXcpt);
9190
9191	if (VBOXVMM_XCPT_DE_ENABLED()) pDbgState->bmXcptExtra \|= RT_BIT_32(X86_XCPT_DE);
9192	if (VBOXVMM_XCPT_DB_ENABLED()) pDbgState->bmXcptExtra \|= RT_BIT_32(X86_XCPT_DB);
9193	if (VBOXVMM_XCPT_BP_ENABLED()) pDbgState->bmXcptExtra \|= RT_BIT_32(X86_XCPT_BP);
9194	if (VBOXVMM_XCPT_OF_ENABLED()) pDbgState->bmXcptExtra \|= RT_BIT_32(X86_XCPT_OF);
9195	if (VBOXVMM_XCPT_BR_ENABLED()) pDbgState->bmXcptExtra \|= RT_BIT_32(X86_XCPT_BR);
9196	if (VBOXVMM_XCPT_UD_ENABLED()) pDbgState->bmXcptExtra \|= RT_BIT_32(X86_XCPT_UD);
9197	if (VBOXVMM_XCPT_NM_ENABLED()) pDbgState->bmXcptExtra \|= RT_BIT_32(X86_XCPT_NM);
9198	if (VBOXVMM_XCPT_DF_ENABLED()) pDbgState->bmXcptExtra \|= RT_BIT_32(X86_XCPT_DF);
9199	if (VBOXVMM_XCPT_TS_ENABLED()) pDbgState->bmXcptExtra \|= RT_BIT_32(X86_XCPT_TS);
9200	if (VBOXVMM_XCPT_NP_ENABLED()) pDbgState->bmXcptExtra \|= RT_BIT_32(X86_XCPT_NP);
9201	if (VBOXVMM_XCPT_SS_ENABLED()) pDbgState->bmXcptExtra \|= RT_BIT_32(X86_XCPT_SS);
9202	if (VBOXVMM_XCPT_GP_ENABLED()) pDbgState->bmXcptExtra \|= RT_BIT_32(X86_XCPT_GP);
9203	if (VBOXVMM_XCPT_PF_ENABLED()) pDbgState->bmXcptExtra \|= RT_BIT_32(X86_XCPT_PF);
9204	if (VBOXVMM_XCPT_MF_ENABLED()) pDbgState->bmXcptExtra \|= RT_BIT_32(X86_XCPT_MF);
9205	if (VBOXVMM_XCPT_AC_ENABLED()) pDbgState->bmXcptExtra \|= RT_BIT_32(X86_XCPT_AC);
9206	if (VBOXVMM_XCPT_XF_ENABLED()) pDbgState->bmXcptExtra \|= RT_BIT_32(X86_XCPT_XF);
9207	if (VBOXVMM_XCPT_VE_ENABLED()) pDbgState->bmXcptExtra \|= RT_BIT_32(X86_XCPT_VE);
9208	if (VBOXVMM_XCPT_SX_ENABLED()) pDbgState->bmXcptExtra \|= RT_BIT_32(X86_XCPT_SX);
9209
9210	if (pDbgState->bmXcptExtra)
9211	ASMBitSet(pDbgState->bmExitsToCheck, VMX_EXIT_XCPT_OR_NMI);
9212
9213	/*
9214	* Process events and probes for VM exits, making sure we get the wanted exits.
9215	*
9216	* Note! This is the reverse of waft hmR0VmxHandleExitDtraceEvents does.
9217	* So, when adding/changing/removing please don't forget to update it.
9218	*
9219	* Some of the macros are picking up local variables to save horizontal space,
9220	* (being able to see it in a table is the lesser evil here).
9221	*/
9222	#define IS_EITHER_ENABLED(a_pVM, a_EventSubName) \
9223	( DBGF_IS_EVENT_ENABLED(a_pVM, RT_CONCAT(DBGFEVENT_, a_EventSubName)) \
9224	\|\| RT_CONCAT3(VBOXVMM_, a_EventSubName, _ENABLED)() )
9225	#define SET_ONLY_XBM_IF_EITHER_EN(a_EventSubName, a_uExit) \
9226	if (IS_EITHER_ENABLED(pVM, a_EventSubName)) \
9227	{ AssertCompile((unsigned)(a_uExit) < sizeof(pDbgState->bmExitsToCheck) * 8); \
9228	ASMBitSet((pDbgState)->bmExitsToCheck, a_uExit); \
9229	} else do { } while (0)
9230	#define SET_CPE1_XBM_IF_EITHER_EN(a_EventSubName, a_uExit, a_fCtrlProcExec) \
9231	if (IS_EITHER_ENABLED(pVM, a_EventSubName)) \
9232	{ \
9233	(pDbgState)->fCpe1Extra \|= (a_fCtrlProcExec); \
9234	AssertCompile((unsigned)(a_uExit) < sizeof(pDbgState->bmExitsToCheck) * 8); \
9235	ASMBitSet((pDbgState)->bmExitsToCheck, a_uExit); \
9236	} else do { } while (0)
9237	#define SET_CPEU_XBM_IF_EITHER_EN(a_EventSubName, a_uExit, a_fUnwantedCtrlProcExec) \
9238	if (IS_EITHER_ENABLED(pVM, a_EventSubName)) \
9239	{ \
9240	(pDbgState)->fCpe1Unwanted \|= (a_fUnwantedCtrlProcExec); \
9241	AssertCompile((unsigned)(a_uExit) < sizeof(pDbgState->bmExitsToCheck) * 8); \
9242	ASMBitSet((pDbgState)->bmExitsToCheck, a_uExit); \
9243	} else do { } while (0)
9244	#define SET_CPE2_XBM_IF_EITHER_EN(a_EventSubName, a_uExit, a_fCtrlProcExec2) \
9245	if (IS_EITHER_ENABLED(pVM, a_EventSubName)) \
9246	{ \
9247	(pDbgState)->fCpe2Extra \|= (a_fCtrlProcExec2); \
9248	AssertCompile((unsigned)(a_uExit) < sizeof(pDbgState->bmExitsToCheck) * 8); \
9249	ASMBitSet((pDbgState)->bmExitsToCheck, a_uExit); \
9250	} else do { } while (0)
9251
9252	SET_ONLY_XBM_IF_EITHER_EN(EXIT_TASK_SWITCH, VMX_EXIT_TASK_SWITCH); /* unconditional */
9253	SET_ONLY_XBM_IF_EITHER_EN(EXIT_VMX_EPT_VIOLATION, VMX_EXIT_EPT_VIOLATION); /* unconditional */
9254	SET_ONLY_XBM_IF_EITHER_EN(EXIT_VMX_EPT_MISCONFIG, VMX_EXIT_EPT_MISCONFIG); /* unconditional (unless #VE) */
9255	SET_ONLY_XBM_IF_EITHER_EN(EXIT_VMX_VAPIC_ACCESS, VMX_EXIT_APIC_ACCESS); /* feature dependent, nothing to enable here */
9256	SET_ONLY_XBM_IF_EITHER_EN(EXIT_VMX_VAPIC_WRITE, VMX_EXIT_APIC_WRITE); /* feature dependent, nothing to enable here */
9257
9258	SET_ONLY_XBM_IF_EITHER_EN(INSTR_CPUID, VMX_EXIT_CPUID); /* unconditional */
9259	SET_ONLY_XBM_IF_EITHER_EN( EXIT_CPUID, VMX_EXIT_CPUID);
9260	SET_ONLY_XBM_IF_EITHER_EN(INSTR_GETSEC, VMX_EXIT_GETSEC); /* unconditional */
9261	SET_ONLY_XBM_IF_EITHER_EN( EXIT_GETSEC, VMX_EXIT_GETSEC);
9262	SET_CPE1_XBM_IF_EITHER_EN(INSTR_HALT, VMX_EXIT_HLT, VMX_VMCS_CTRL_PROC_EXEC_HLT_EXIT); /* paranoia */
9263	SET_ONLY_XBM_IF_EITHER_EN( EXIT_HALT, VMX_EXIT_HLT);
9264	SET_ONLY_XBM_IF_EITHER_EN(INSTR_INVD, VMX_EXIT_INVD); /* unconditional */
9265	SET_ONLY_XBM_IF_EITHER_EN( EXIT_INVD, VMX_EXIT_INVD);
9266	SET_CPE1_XBM_IF_EITHER_EN(INSTR_INVLPG, VMX_EXIT_INVLPG, VMX_VMCS_CTRL_PROC_EXEC_INVLPG_EXIT);
9267	SET_ONLY_XBM_IF_EITHER_EN( EXIT_INVLPG, VMX_EXIT_INVLPG);
9268	SET_CPE1_XBM_IF_EITHER_EN(INSTR_RDPMC, VMX_EXIT_RDPMC, VMX_VMCS_CTRL_PROC_EXEC_RDPMC_EXIT);
9269	SET_ONLY_XBM_IF_EITHER_EN( EXIT_RDPMC, VMX_EXIT_RDPMC);
9270	SET_CPE1_XBM_IF_EITHER_EN(INSTR_RDTSC, VMX_EXIT_RDTSC, VMX_VMCS_CTRL_PROC_EXEC_RDTSC_EXIT);
9271	SET_ONLY_XBM_IF_EITHER_EN( EXIT_RDTSC, VMX_EXIT_RDTSC);
9272	SET_ONLY_XBM_IF_EITHER_EN(INSTR_RSM, VMX_EXIT_RSM); /* unconditional */
9273	SET_ONLY_XBM_IF_EITHER_EN( EXIT_RSM, VMX_EXIT_RSM);
9274	SET_ONLY_XBM_IF_EITHER_EN(INSTR_VMM_CALL, VMX_EXIT_VMCALL); /* unconditional */
9275	SET_ONLY_XBM_IF_EITHER_EN( EXIT_VMM_CALL, VMX_EXIT_VMCALL);
9276	SET_ONLY_XBM_IF_EITHER_EN(INSTR_VMX_VMCLEAR, VMX_EXIT_VMCLEAR); /* unconditional */
9277	SET_ONLY_XBM_IF_EITHER_EN( EXIT_VMX_VMCLEAR, VMX_EXIT_VMCLEAR);
9278	SET_ONLY_XBM_IF_EITHER_EN(INSTR_VMX_VMLAUNCH, VMX_EXIT_VMLAUNCH); /* unconditional */
9279	SET_ONLY_XBM_IF_EITHER_EN( EXIT_VMX_VMLAUNCH, VMX_EXIT_VMLAUNCH);
9280	SET_ONLY_XBM_IF_EITHER_EN(INSTR_VMX_VMPTRLD, VMX_EXIT_VMPTRLD); /* unconditional */
9281	SET_ONLY_XBM_IF_EITHER_EN( EXIT_VMX_VMPTRLD, VMX_EXIT_VMPTRLD);
9282	SET_ONLY_XBM_IF_EITHER_EN(INSTR_VMX_VMPTRST, VMX_EXIT_VMPTRST); /* unconditional */
9283	SET_ONLY_XBM_IF_EITHER_EN( EXIT_VMX_VMPTRST, VMX_EXIT_VMPTRST);
9284	SET_ONLY_XBM_IF_EITHER_EN(INSTR_VMX_VMREAD, VMX_EXIT_VMREAD); /* unconditional */
9285	SET_ONLY_XBM_IF_EITHER_EN( EXIT_VMX_VMREAD, VMX_EXIT_VMREAD);
9286	SET_ONLY_XBM_IF_EITHER_EN(INSTR_VMX_VMRESUME, VMX_EXIT_VMRESUME); /* unconditional */
9287	SET_ONLY_XBM_IF_EITHER_EN( EXIT_VMX_VMRESUME, VMX_EXIT_VMRESUME);
9288	SET_ONLY_XBM_IF_EITHER_EN(INSTR_VMX_VMWRITE, VMX_EXIT_VMWRITE); /* unconditional */
9289	SET_ONLY_XBM_IF_EITHER_EN( EXIT_VMX_VMWRITE, VMX_EXIT_VMWRITE);
9290	SET_ONLY_XBM_IF_EITHER_EN(INSTR_VMX_VMXOFF, VMX_EXIT_VMXOFF); /* unconditional */
9291	SET_ONLY_XBM_IF_EITHER_EN( EXIT_VMX_VMXOFF, VMX_EXIT_VMXOFF);
9292	SET_ONLY_XBM_IF_EITHER_EN(INSTR_VMX_VMXON, VMX_EXIT_VMXON); /* unconditional */
9293	SET_ONLY_XBM_IF_EITHER_EN( EXIT_VMX_VMXON, VMX_EXIT_VMXON);
9294
9295	if ( IS_EITHER_ENABLED(pVM, INSTR_CRX_READ)
9296	\|\| IS_EITHER_ENABLED(pVM, INSTR_CRX_WRITE))
9297	{
9298	int rc2 = hmR0VmxSaveGuestCR0(pVCpu, pCtx);
9299	rc2 \|= hmR0VmxSaveGuestCR4(pVCpu, pCtx);
9300	rc2 \|= hmR0VmxSaveGuestApicState(pVCpu, pCtx);
9301	AssertRC(rc2);
9302
9303	#if 0 /** @todo fix me */
9304	pDbgState->fClearCr0Mask = true;
9305	pDbgState->fClearCr4Mask = true;
9306	#endif
9307	if (IS_EITHER_ENABLED(pVM, INSTR_CRX_READ))
9308	pDbgState->fCpe1Extra \|= VMX_VMCS_CTRL_PROC_EXEC_CR3_STORE_EXIT \| VMX_VMCS_CTRL_PROC_EXEC_CR8_STORE_EXIT;
9309	if (IS_EITHER_ENABLED(pVM, INSTR_CRX_WRITE))
9310	pDbgState->fCpe1Extra \|= VMX_VMCS_CTRL_PROC_EXEC_CR3_LOAD_EXIT \| VMX_VMCS_CTRL_PROC_EXEC_CR8_LOAD_EXIT;
9311	pDbgState->fCpe1Unwanted \|= VMX_VMCS_CTRL_PROC_EXEC_USE_TPR_SHADOW; /* risky? */
9312	/* Note! We currently don't use VMX_VMCS32_CTRL_CR3_TARGET_COUNT. It would
9313	require clearing here and in the loop if we start using it. */
9314	ASMBitSet(pDbgState->bmExitsToCheck, VMX_EXIT_MOV_CRX);
9315	}
9316	else
9317	{
9318	if (pDbgState->fClearCr0Mask)
9319	{
9320	pDbgState->fClearCr0Mask = false;
9321	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_CR0);
9322	}
9323	if (pDbgState->fClearCr4Mask)
9324	{
9325	pDbgState->fClearCr4Mask = false;
9326	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_CR4);
9327	}
9328	}
9329	SET_ONLY_XBM_IF_EITHER_EN( EXIT_CRX_READ, VMX_EXIT_MOV_CRX);
9330	SET_ONLY_XBM_IF_EITHER_EN( EXIT_CRX_WRITE, VMX_EXIT_MOV_CRX);
9331
9332	if ( IS_EITHER_ENABLED(pVM, INSTR_DRX_READ)
9333	\|\| IS_EITHER_ENABLED(pVM, INSTR_DRX_WRITE))
9334	{
9335	/** @todo later, need to fix handler as it assumes this won't usually happen. */
9336	ASMBitSet(pDbgState->bmExitsToCheck, VMX_EXIT_MOV_DRX);
9337	}
9338	SET_ONLY_XBM_IF_EITHER_EN( EXIT_DRX_READ, VMX_EXIT_MOV_DRX);
9339	SET_ONLY_XBM_IF_EITHER_EN( EXIT_DRX_WRITE, VMX_EXIT_MOV_DRX);
9340
9341	SET_CPEU_XBM_IF_EITHER_EN(INSTR_RDMSR, VMX_EXIT_RDMSR, VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS); /* risky clearing this? */
9342	SET_ONLY_XBM_IF_EITHER_EN( EXIT_RDMSR, VMX_EXIT_RDMSR);
9343	SET_CPEU_XBM_IF_EITHER_EN(INSTR_WRMSR, VMX_EXIT_WRMSR, VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS);
9344	SET_ONLY_XBM_IF_EITHER_EN( EXIT_WRMSR, VMX_EXIT_WRMSR);
9345	SET_CPE1_XBM_IF_EITHER_EN(INSTR_MWAIT, VMX_EXIT_MWAIT, VMX_VMCS_CTRL_PROC_EXEC_MWAIT_EXIT); /* paranoia */
9346	SET_ONLY_XBM_IF_EITHER_EN( EXIT_MWAIT, VMX_EXIT_MWAIT);
9347	SET_CPE1_XBM_IF_EITHER_EN(INSTR_MONITOR, VMX_EXIT_MONITOR, VMX_VMCS_CTRL_PROC_EXEC_MONITOR_EXIT); /* paranoia */
9348	SET_ONLY_XBM_IF_EITHER_EN( EXIT_MONITOR, VMX_EXIT_MONITOR);
9349	#if 0 /** @todo too slow, fix handler. */
9350	SET_CPE1_XBM_IF_EITHER_EN(INSTR_PAUSE, VMX_EXIT_PAUSE, VMX_VMCS_CTRL_PROC_EXEC_PAUSE_EXIT);
9351	#endif
9352	SET_ONLY_XBM_IF_EITHER_EN( EXIT_PAUSE, VMX_EXIT_PAUSE);
9353
9354	if ( IS_EITHER_ENABLED(pVM, INSTR_SGDT)
9355	\|\| IS_EITHER_ENABLED(pVM, INSTR_SIDT)
9356	\|\| IS_EITHER_ENABLED(pVM, INSTR_LGDT)
9357	\|\| IS_EITHER_ENABLED(pVM, INSTR_LIDT))
9358	{
9359	pDbgState->fCpe2Extra \|= VMX_VMCS_CTRL_PROC_EXEC2_DESCRIPTOR_TABLE_EXIT;
9360	ASMBitSet(pDbgState->bmExitsToCheck, VMX_EXIT_XDTR_ACCESS);
9361	}
9362	SET_ONLY_XBM_IF_EITHER_EN( EXIT_SGDT, VMX_EXIT_XDTR_ACCESS);
9363	SET_ONLY_XBM_IF_EITHER_EN( EXIT_SIDT, VMX_EXIT_XDTR_ACCESS);
9364	SET_ONLY_XBM_IF_EITHER_EN( EXIT_LGDT, VMX_EXIT_XDTR_ACCESS);
9365	SET_ONLY_XBM_IF_EITHER_EN( EXIT_LIDT, VMX_EXIT_XDTR_ACCESS);
9366
9367	if ( IS_EITHER_ENABLED(pVM, INSTR_SLDT)
9368	\|\| IS_EITHER_ENABLED(pVM, INSTR_STR)
9369	\|\| IS_EITHER_ENABLED(pVM, INSTR_LLDT)
9370	\|\| IS_EITHER_ENABLED(pVM, INSTR_LTR))
9371	{
9372	pDbgState->fCpe2Extra \|= VMX_VMCS_CTRL_PROC_EXEC2_DESCRIPTOR_TABLE_EXIT;
9373	ASMBitSet(pDbgState->bmExitsToCheck, VMX_EXIT_TR_ACCESS);
9374	}
9375	SET_ONLY_XBM_IF_EITHER_EN( EXIT_SLDT, VMX_EXIT_TR_ACCESS);
9376	SET_ONLY_XBM_IF_EITHER_EN( EXIT_STR, VMX_EXIT_TR_ACCESS);
9377	SET_ONLY_XBM_IF_EITHER_EN( EXIT_LLDT, VMX_EXIT_TR_ACCESS);
9378	SET_ONLY_XBM_IF_EITHER_EN( EXIT_LTR, VMX_EXIT_TR_ACCESS);
9379
9380	SET_ONLY_XBM_IF_EITHER_EN(INSTR_VMX_INVEPT, VMX_EXIT_INVEPT); /* unconditional */
9381	SET_ONLY_XBM_IF_EITHER_EN( EXIT_VMX_INVEPT, VMX_EXIT_INVEPT);
9382	SET_CPE1_XBM_IF_EITHER_EN(INSTR_RDTSCP, VMX_EXIT_RDTSCP, VMX_VMCS_CTRL_PROC_EXEC_RDTSC_EXIT);
9383	SET_ONLY_XBM_IF_EITHER_EN( EXIT_RDTSCP, VMX_EXIT_RDTSCP);
9384	SET_ONLY_XBM_IF_EITHER_EN(INSTR_VMX_INVVPID, VMX_EXIT_INVVPID); /* unconditional */
9385	SET_ONLY_XBM_IF_EITHER_EN( EXIT_VMX_INVVPID, VMX_EXIT_INVVPID);
9386	SET_CPE2_XBM_IF_EITHER_EN(INSTR_WBINVD, VMX_EXIT_WBINVD, VMX_VMCS_CTRL_PROC_EXEC2_WBINVD_EXIT);
9387	SET_ONLY_XBM_IF_EITHER_EN( EXIT_WBINVD, VMX_EXIT_WBINVD);
9388	SET_ONLY_XBM_IF_EITHER_EN(INSTR_XSETBV, VMX_EXIT_XSETBV); /* unconditional */
9389	SET_ONLY_XBM_IF_EITHER_EN( EXIT_XSETBV, VMX_EXIT_XSETBV);
9390	SET_CPE2_XBM_IF_EITHER_EN(INSTR_RDRAND, VMX_EXIT_RDRAND, VMX_VMCS_CTRL_PROC_EXEC2_RDRAND_EXIT);
9391	SET_ONLY_XBM_IF_EITHER_EN( EXIT_RDRAND, VMX_EXIT_RDRAND);
9392	SET_CPE1_XBM_IF_EITHER_EN(INSTR_VMX_INVPCID, VMX_EXIT_INVPCID, VMX_VMCS_CTRL_PROC_EXEC_INVLPG_EXIT);
9393	SET_ONLY_XBM_IF_EITHER_EN( EXIT_VMX_INVPCID, VMX_EXIT_INVPCID);
9394	SET_ONLY_XBM_IF_EITHER_EN(INSTR_VMX_VMFUNC, VMX_EXIT_VMFUNC); /* unconditional for the current setup */
9395	SET_ONLY_XBM_IF_EITHER_EN( EXIT_VMX_VMFUNC, VMX_EXIT_VMFUNC);
9396	SET_CPE2_XBM_IF_EITHER_EN(INSTR_RDSEED, VMX_EXIT_RDSEED, VMX_VMCS_CTRL_PROC_EXEC2_RDSEED_EXIT);
9397	SET_ONLY_XBM_IF_EITHER_EN( EXIT_RDSEED, VMX_EXIT_RDSEED);
9398	SET_ONLY_XBM_IF_EITHER_EN(INSTR_XSAVES, VMX_EXIT_XSAVES); /* unconditional (enabled by host, guest cfg) */
9399	SET_ONLY_XBM_IF_EITHER_EN(EXIT_XSAVES, VMX_EXIT_XSAVES);
9400	SET_ONLY_XBM_IF_EITHER_EN(INSTR_XRSTORS, VMX_EXIT_XRSTORS); /* unconditional (enabled by host, guest cfg) */
9401	SET_ONLY_XBM_IF_EITHER_EN( EXIT_XRSTORS, VMX_EXIT_XRSTORS);
9402
9403	#undef IS_EITHER_ENABLED
9404	#undef SET_ONLY_XBM_IF_EITHER_EN
9405	#undef SET_CPE1_XBM_IF_EITHER_EN
9406	#undef SET_CPEU_XBM_IF_EITHER_EN
9407	#undef SET_CPE2_XBM_IF_EITHER_EN
9408
9409	/*
9410	* Sanitize the control stuff.
9411	*/
9412	pDbgState->fCpe2Extra &= pVM->hm.s.vmx.Msrs.VmxProcCtls2.n.allowed1;
9413	if (pDbgState->fCpe2Extra)
9414	pDbgState->fCpe1Extra \|= VMX_VMCS_CTRL_PROC_EXEC_USE_SECONDARY_EXEC_CTRL;
9415	pDbgState->fCpe1Extra &= pVM->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1;
9416	pDbgState->fCpe1Unwanted &= ~pVM->hm.s.vmx.Msrs.VmxProcCtls.n.disallowed0;
9417	if (pVCpu->hm.s.fDebugWantRdTscExit != RT_BOOL(pDbgState->fCpe1Extra & VMX_VMCS_CTRL_PROC_EXEC_RDTSC_EXIT))
9418	{
9419	pVCpu->hm.s.fDebugWantRdTscExit ^= true;
9420	pVmxTransient->fUpdateTscOffsettingAndPreemptTimer = true;
9421	}
9422
9423	Log6(("HM: debug state: cpe1=%#RX32 cpeu=%#RX32 cpe2=%#RX32%s%s\n",
9424	pDbgState->fCpe1Extra, pDbgState->fCpe1Unwanted, pDbgState->fCpe2Extra,
9425	pDbgState->fClearCr0Mask ? " clr-cr0" : "",
9426	pDbgState->fClearCr4Mask ? " clr-cr4" : ""));
9427	}
9428
9429
9430	/**
9431	* Fires off DBGF events and dtrace probes for an exit, when it's appropriate.
9432	*
9433	* The caller has checked exit against the VMXRUNDBGSTATE::bmExitsToCheck
9434	* bitmap. The caller has checked for NMIs already, so we don't have to do that
9435	* either.
9436	*
9437	* @returns Strict VBox status code (i.e. informational status codes too).
9438	* @param pVM The cross context VM structure.
9439	* @param pVCpu The cross context virtual CPU structure.
9440	* @param pMixedCtx Pointer to the guest-CPU context.
9441	* @param pVmxTransient Pointer to the VMX-transient structure.
9442	* @param uExitReason The VM-exit reason.
9443	*
9444	* @remarks The name of this function is displayed by dtrace, so keep it short
9445	* and to the point. No longer than 33 chars long, please.
9446	*/
9447	static VBOXSTRICTRC hmR0VmxHandleExitDtraceEvents(PVM pVM, PVMCPU pVCpu, PCPUMCTX pMixedCtx,
9448	PVMXTRANSIENT pVmxTransient, uint32_t uExitReason)
9449	{
9450	/*
9451	* Translate the event into a DBGF event (enmEvent + uEventArg) and at the
9452	* same time check whether any corresponding Dtrace event is enabled (fDtrace).
9453	*
9454	* Note! This is the reverse operation of what hmR0VmxPreRunGuestDebugStateUpdate
9455	* does. Must add/change/remove both places. Same ordering, please.
9456	*
9457	* Added/removed events must also be reflected in the next section
9458	* where we dispatch dtrace events.
9459	*/
9460	bool fDtrace1 = false;
9461	bool fDtrace2 = false;
9462	DBGFEVENTTYPE enmEvent1 = DBGFEVENT_END;
9463	DBGFEVENTTYPE enmEvent2 = DBGFEVENT_END;
9464	uint32_t uEventArg = 0;
9465	#define SET_EXIT(a_EventSubName) \
9466	do { \
9467	enmEvent2 = RT_CONCAT(DBGFEVENT_EXIT_, a_EventSubName); \
9468	fDtrace2 = RT_CONCAT3(VBOXVMM_EXIT_, a_EventSubName, _ENABLED)(); \
9469	} while (0)
9470	#define SET_BOTH(a_EventSubName) \
9471	do { \
9472	enmEvent1 = RT_CONCAT(DBGFEVENT_INSTR_, a_EventSubName); \
9473	enmEvent2 = RT_CONCAT(DBGFEVENT_EXIT_, a_EventSubName); \
9474	fDtrace1 = RT_CONCAT3(VBOXVMM_INSTR_, a_EventSubName, _ENABLED)(); \
9475	fDtrace2 = RT_CONCAT3(VBOXVMM_EXIT_, a_EventSubName, _ENABLED)(); \
9476	} while (0)
9477	switch (uExitReason)
9478	{
9479	case VMX_EXIT_MTF:
9480	return hmR0VmxExitMtf(pVCpu, pMixedCtx, pVmxTransient);
9481
9482	case VMX_EXIT_XCPT_OR_NMI:
9483	{
9484	uint8_t const idxVector = VMX_EXIT_INTERRUPTION_INFO_VECTOR(pVmxTransient->uExitIntInfo);
9485	switch (VMX_EXIT_INTERRUPTION_INFO_TYPE(pVmxTransient->uExitIntInfo))
9486	{
9487	case VMX_EXIT_INTERRUPTION_INFO_TYPE_HW_XCPT:
9488	case VMX_EXIT_INTERRUPTION_INFO_TYPE_SW_XCPT:
9489	case VMX_EXIT_INTERRUPTION_INFO_TYPE_PRIV_SW_XCPT:
9490	if (idxVector <= (unsigned)(DBGFEVENT_XCPT_LAST - DBGFEVENT_XCPT_FIRST))
9491	{
9492	if (VMX_EXIT_INTERRUPTION_INFO_ERROR_CODE_IS_VALID(pVmxTransient->uExitIntInfo))
9493	{
9494	hmR0VmxReadExitIntErrorCodeVmcs(pVmxTransient);
9495	uEventArg = pVmxTransient->uExitIntErrorCode;
9496	}
9497	enmEvent1 = (DBGFEVENTTYPE)(DBGFEVENT_XCPT_FIRST + idxVector);
9498	switch (enmEvent1)
9499	{
9500	case DBGFEVENT_XCPT_DE: fDtrace1 = VBOXVMM_XCPT_DE_ENABLED(); break;
9501	case DBGFEVENT_XCPT_DB: fDtrace1 = VBOXVMM_XCPT_DB_ENABLED(); break;
9502	case DBGFEVENT_XCPT_BP: fDtrace1 = VBOXVMM_XCPT_BP_ENABLED(); break;
9503	case DBGFEVENT_XCPT_OF: fDtrace1 = VBOXVMM_XCPT_OF_ENABLED(); break;
9504	case DBGFEVENT_XCPT_BR: fDtrace1 = VBOXVMM_XCPT_BR_ENABLED(); break;
9505	case DBGFEVENT_XCPT_UD: fDtrace1 = VBOXVMM_XCPT_UD_ENABLED(); break;
9506	case DBGFEVENT_XCPT_NM: fDtrace1 = VBOXVMM_XCPT_NM_ENABLED(); break;
9507	case DBGFEVENT_XCPT_DF: fDtrace1 = VBOXVMM_XCPT_DF_ENABLED(); break;
9508	case DBGFEVENT_XCPT_TS: fDtrace1 = VBOXVMM_XCPT_TS_ENABLED(); break;
9509	case DBGFEVENT_XCPT_NP: fDtrace1 = VBOXVMM_XCPT_NP_ENABLED(); break;
9510	case DBGFEVENT_XCPT_SS: fDtrace1 = VBOXVMM_XCPT_SS_ENABLED(); break;
9511	case DBGFEVENT_XCPT_GP: fDtrace1 = VBOXVMM_XCPT_GP_ENABLED(); break;
9512	case DBGFEVENT_XCPT_PF: fDtrace1 = VBOXVMM_XCPT_PF_ENABLED(); break;
9513	case DBGFEVENT_XCPT_MF: fDtrace1 = VBOXVMM_XCPT_MF_ENABLED(); break;
9514	case DBGFEVENT_XCPT_AC: fDtrace1 = VBOXVMM_XCPT_AC_ENABLED(); break;
9515	case DBGFEVENT_XCPT_XF: fDtrace1 = VBOXVMM_XCPT_XF_ENABLED(); break;
9516	case DBGFEVENT_XCPT_VE: fDtrace1 = VBOXVMM_XCPT_VE_ENABLED(); break;
9517	case DBGFEVENT_XCPT_SX: fDtrace1 = VBOXVMM_XCPT_SX_ENABLED(); break;
9518	default: break;
9519	}
9520	}
9521	else
9522	AssertFailed();
9523	break;
9524
9525	case VMX_EXIT_INTERRUPTION_INFO_TYPE_SW_INT:
9526	uEventArg = idxVector;
9527	enmEvent1 = DBGFEVENT_INTERRUPT_SOFTWARE;
9528	fDtrace1 = VBOXVMM_INT_SOFTWARE_ENABLED();
9529	break;
9530	}
9531	break;
9532	}
9533
9534	case VMX_EXIT_TRIPLE_FAULT:
9535	enmEvent1 = DBGFEVENT_TRIPLE_FAULT;
9536	//fDtrace1 = VBOXVMM_EXIT_TRIPLE_FAULT_ENABLED();
9537	break;
9538	case VMX_EXIT_TASK_SWITCH: SET_EXIT(TASK_SWITCH); break;
9539	case VMX_EXIT_EPT_VIOLATION: SET_EXIT(VMX_EPT_VIOLATION); break;
9540	case VMX_EXIT_EPT_MISCONFIG: SET_EXIT(VMX_EPT_MISCONFIG); break;
9541	case VMX_EXIT_APIC_ACCESS: SET_EXIT(VMX_VAPIC_ACCESS); break;
9542	case VMX_EXIT_APIC_WRITE: SET_EXIT(VMX_VAPIC_WRITE); break;
9543
9544	/* Instruction specific VM-exits: */
9545	case VMX_EXIT_CPUID: SET_BOTH(CPUID); break;
9546	case VMX_EXIT_GETSEC: SET_BOTH(GETSEC); break;
9547	case VMX_EXIT_HLT: SET_BOTH(HALT); break;
9548	case VMX_EXIT_INVD: SET_BOTH(INVD); break;
9549	case VMX_EXIT_INVLPG: SET_BOTH(INVLPG); break;
9550	case VMX_EXIT_RDPMC: SET_BOTH(RDPMC); break;
9551	case VMX_EXIT_RDTSC: SET_BOTH(RDTSC); break;
9552	case VMX_EXIT_RSM: SET_BOTH(RSM); break;
9553	case VMX_EXIT_VMCALL: SET_BOTH(VMM_CALL); break;
9554	case VMX_EXIT_VMCLEAR: SET_BOTH(VMX_VMCLEAR); break;
9555	case VMX_EXIT_VMLAUNCH: SET_BOTH(VMX_VMLAUNCH); break;
9556	case VMX_EXIT_VMPTRLD: SET_BOTH(VMX_VMPTRLD); break;
9557	case VMX_EXIT_VMPTRST: SET_BOTH(VMX_VMPTRST); break;
9558	case VMX_EXIT_VMREAD: SET_BOTH(VMX_VMREAD); break;
9559	case VMX_EXIT_VMRESUME: SET_BOTH(VMX_VMRESUME); break;
9560	case VMX_EXIT_VMWRITE: SET_BOTH(VMX_VMWRITE); break;
9561	case VMX_EXIT_VMXOFF: SET_BOTH(VMX_VMXOFF); break;
9562	case VMX_EXIT_VMXON: SET_BOTH(VMX_VMXON); break;
9563	case VMX_EXIT_MOV_CRX:
9564	hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
9565	/** @todo r=bird: I feel these macros aren't very descriptive and needs to be at least 30 chars longer! ;-)
9566	* Sensible abbreviations strongly recommended here because even with 130 columns this stuff get too wide! */
9567	if ( VMX_EXIT_QUALIFICATION_CRX_ACCESS(pVmxTransient->uExitQualification)
9568	== VMX_EXIT_QUALIFICATION_CRX_ACCESS_READ)
9569	SET_BOTH(CRX_READ);
9570	else
9571	SET_BOTH(CRX_WRITE);
9572	uEventArg = VMX_EXIT_QUALIFICATION_CRX_REGISTER(pVmxTransient->uExitQualification);
9573	break;
9574	case VMX_EXIT_MOV_DRX:
9575	hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
9576	if ( VMX_EXIT_QUALIFICATION_DRX_DIRECTION(pVmxTransient->uExitQualification)
9577	== VMX_EXIT_QUALIFICATION_DRX_DIRECTION_READ)
9578	SET_BOTH(DRX_READ);
9579	else
9580	SET_BOTH(DRX_WRITE);
9581	uEventArg = VMX_EXIT_QUALIFICATION_DRX_REGISTER(pVmxTransient->uExitQualification);
9582	break;
9583	case VMX_EXIT_RDMSR: SET_BOTH(RDMSR); break;
9584	case VMX_EXIT_WRMSR: SET_BOTH(WRMSR); break;
9585	case VMX_EXIT_MWAIT: SET_BOTH(MWAIT); break;
9586	case VMX_EXIT_MONITOR: SET_BOTH(MONITOR); break;
9587	case VMX_EXIT_PAUSE: SET_BOTH(PAUSE); break;
9588	case VMX_EXIT_XDTR_ACCESS:
9589	hmR0VmxReadExitInstrInfoVmcs(pVmxTransient);
9590	switch (RT_BF_GET(pVmxTransient->ExitInstrInfo.u, VMX_XDTR_INSINFO_INSTR_ID))
9591	{
9592	case VMX_XDTR_INSINFO_II_SGDT: SET_BOTH(SGDT); break;
9593	case VMX_XDTR_INSINFO_II_SIDT: SET_BOTH(SIDT); break;
9594	case VMX_XDTR_INSINFO_II_LGDT: SET_BOTH(LGDT); break;
9595	case VMX_XDTR_INSINFO_II_LIDT: SET_BOTH(LIDT); break;
9596	}
9597	break;
9598
9599	case VMX_EXIT_TR_ACCESS:
9600	hmR0VmxReadExitInstrInfoVmcs(pVmxTransient);
9601	switch (RT_BF_GET(pVmxTransient->ExitInstrInfo.u, VMX_YYTR_INSINFO_INSTR_ID))
9602	{
9603	case VMX_YYTR_INSINFO_II_SLDT: SET_BOTH(SLDT); break;
9604	case VMX_YYTR_INSINFO_II_STR: SET_BOTH(STR); break;
9605	case VMX_YYTR_INSINFO_II_LLDT: SET_BOTH(LLDT); break;
9606	case VMX_YYTR_INSINFO_II_LTR: SET_BOTH(LTR); break;
9607	}
9608	break;
9609
9610	case VMX_EXIT_INVEPT: SET_BOTH(VMX_INVEPT); break;
9611	case VMX_EXIT_RDTSCP: SET_BOTH(RDTSCP); break;
9612	case VMX_EXIT_INVVPID: SET_BOTH(VMX_INVVPID); break;
9613	case VMX_EXIT_WBINVD: SET_BOTH(WBINVD); break;
9614	case VMX_EXIT_XSETBV: SET_BOTH(XSETBV); break;
9615	case VMX_EXIT_RDRAND: SET_BOTH(RDRAND); break;
9616	case VMX_EXIT_INVPCID: SET_BOTH(VMX_INVPCID); break;
9617	case VMX_EXIT_VMFUNC: SET_BOTH(VMX_VMFUNC); break;
9618	case VMX_EXIT_RDSEED: SET_BOTH(RDSEED); break;
9619	case VMX_EXIT_XSAVES: SET_BOTH(XSAVES); break;
9620	case VMX_EXIT_XRSTORS: SET_BOTH(XRSTORS); break;
9621
9622	/* Events that aren't relevant at this point. */
9623	case VMX_EXIT_EXT_INT:
9624	case VMX_EXIT_INT_WINDOW:
9625	case VMX_EXIT_NMI_WINDOW:
9626	case VMX_EXIT_TPR_BELOW_THRESHOLD:
9627	case VMX_EXIT_PREEMPT_TIMER:
9628	case VMX_EXIT_IO_INSTR:
9629	break;
9630
9631	/* Errors and unexpected events. */
9632	case VMX_EXIT_INIT_SIGNAL:
9633	case VMX_EXIT_SIPI:
9634	case VMX_EXIT_IO_SMI:
9635	case VMX_EXIT_SMI:
9636	case VMX_EXIT_ERR_INVALID_GUEST_STATE:
9637	case VMX_EXIT_ERR_MSR_LOAD:
9638	case VMX_EXIT_ERR_MACHINE_CHECK:
9639	break;
9640
9641	default:
9642	AssertMsgFailed(("Unexpected exit=%#x\n", uExitReason));
9643	break;
9644	}
9645	#undef SET_BOTH
9646	#undef SET_EXIT
9647
9648	/*
9649	* Dtrace tracepoints go first. We do them here at once so we don't
9650	* have to copy the guest state saving and stuff a few dozen times.
9651	* Down side is that we've got to repeat the switch, though this time
9652	* we use enmEvent since the probes are a subset of what DBGF does.
9653	*/
9654	if (fDtrace1 \|\| fDtrace2)
9655	{
9656	hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
9657	hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
9658	switch (enmEvent1)
9659	{
9660	/** @todo consider which extra parameters would be helpful for each probe. */
9661	case DBGFEVENT_END: break;
9662	case DBGFEVENT_XCPT_DE: VBOXVMM_XCPT_DE(pVCpu, pMixedCtx); break;
9663	case DBGFEVENT_XCPT_DB: VBOXVMM_XCPT_DB(pVCpu, pMixedCtx, pMixedCtx->dr[6]); break;
9664	case DBGFEVENT_XCPT_BP: VBOXVMM_XCPT_BP(pVCpu, pMixedCtx); break;
9665	case DBGFEVENT_XCPT_OF: VBOXVMM_XCPT_OF(pVCpu, pMixedCtx); break;
9666	case DBGFEVENT_XCPT_BR: VBOXVMM_XCPT_BR(pVCpu, pMixedCtx); break;
9667	case DBGFEVENT_XCPT_UD: VBOXVMM_XCPT_UD(pVCpu, pMixedCtx); break;
9668	case DBGFEVENT_XCPT_NM: VBOXVMM_XCPT_NM(pVCpu, pMixedCtx); break;
9669	case DBGFEVENT_XCPT_DF: VBOXVMM_XCPT_DF(pVCpu, pMixedCtx); break;
9670	case DBGFEVENT_XCPT_TS: VBOXVMM_XCPT_TS(pVCpu, pMixedCtx, uEventArg); break;
9671	case DBGFEVENT_XCPT_NP: VBOXVMM_XCPT_NP(pVCpu, pMixedCtx, uEventArg); break;
9672	case DBGFEVENT_XCPT_SS: VBOXVMM_XCPT_SS(pVCpu, pMixedCtx, uEventArg); break;
9673	case DBGFEVENT_XCPT_GP: VBOXVMM_XCPT_GP(pVCpu, pMixedCtx, uEventArg); break;
9674	case DBGFEVENT_XCPT_PF: VBOXVMM_XCPT_PF(pVCpu, pMixedCtx, uEventArg, pMixedCtx->cr2); break;
9675	case DBGFEVENT_XCPT_MF: VBOXVMM_XCPT_MF(pVCpu, pMixedCtx); break;
9676	case DBGFEVENT_XCPT_AC: VBOXVMM_XCPT_AC(pVCpu, pMixedCtx); break;
9677	case DBGFEVENT_XCPT_XF: VBOXVMM_XCPT_XF(pVCpu, pMixedCtx); break;
9678	case DBGFEVENT_XCPT_VE: VBOXVMM_XCPT_VE(pVCpu, pMixedCtx); break;
9679	case DBGFEVENT_XCPT_SX: VBOXVMM_XCPT_SX(pVCpu, pMixedCtx, uEventArg); break;
9680	case DBGFEVENT_INTERRUPT_SOFTWARE: VBOXVMM_INT_SOFTWARE(pVCpu, pMixedCtx, (uint8_t)uEventArg); break;
9681	case DBGFEVENT_INSTR_CPUID: VBOXVMM_INSTR_CPUID(pVCpu, pMixedCtx, pMixedCtx->eax, pMixedCtx->ecx); break;
9682	case DBGFEVENT_INSTR_GETSEC: VBOXVMM_INSTR_GETSEC(pVCpu, pMixedCtx); break;
9683	case DBGFEVENT_INSTR_HALT: VBOXVMM_INSTR_HALT(pVCpu, pMixedCtx); break;
9684	case DBGFEVENT_INSTR_INVD: VBOXVMM_INSTR_INVD(pVCpu, pMixedCtx); break;
9685	case DBGFEVENT_INSTR_INVLPG: VBOXVMM_INSTR_INVLPG(pVCpu, pMixedCtx); break;
9686	case DBGFEVENT_INSTR_RDPMC: VBOXVMM_INSTR_RDPMC(pVCpu, pMixedCtx); break;
9687	case DBGFEVENT_INSTR_RDTSC: VBOXVMM_INSTR_RDTSC(pVCpu, pMixedCtx); break;
9688	case DBGFEVENT_INSTR_RSM: VBOXVMM_INSTR_RSM(pVCpu, pMixedCtx); break;
9689	case DBGFEVENT_INSTR_CRX_READ: VBOXVMM_INSTR_CRX_READ(pVCpu, pMixedCtx, (uint8_t)uEventArg); break;
9690	case DBGFEVENT_INSTR_CRX_WRITE: VBOXVMM_INSTR_CRX_WRITE(pVCpu, pMixedCtx, (uint8_t)uEventArg); break;
9691	case DBGFEVENT_INSTR_DRX_READ: VBOXVMM_INSTR_DRX_READ(pVCpu, pMixedCtx, (uint8_t)uEventArg); break;
9692	case DBGFEVENT_INSTR_DRX_WRITE: VBOXVMM_INSTR_DRX_WRITE(pVCpu, pMixedCtx, (uint8_t)uEventArg); break;
9693	case DBGFEVENT_INSTR_RDMSR: VBOXVMM_INSTR_RDMSR(pVCpu, pMixedCtx, pMixedCtx->ecx); break;
9694	case DBGFEVENT_INSTR_WRMSR: VBOXVMM_INSTR_WRMSR(pVCpu, pMixedCtx, pMixedCtx->ecx,
9695	RT_MAKE_U64(pMixedCtx->eax, pMixedCtx->edx)); break;
9696	case DBGFEVENT_INSTR_MWAIT: VBOXVMM_INSTR_MWAIT(pVCpu, pMixedCtx); break;
9697	case DBGFEVENT_INSTR_MONITOR: VBOXVMM_INSTR_MONITOR(pVCpu, pMixedCtx); break;
9698	case DBGFEVENT_INSTR_PAUSE: VBOXVMM_INSTR_PAUSE(pVCpu, pMixedCtx); break;
9699	case DBGFEVENT_INSTR_SGDT: VBOXVMM_INSTR_SGDT(pVCpu, pMixedCtx); break;
9700	case DBGFEVENT_INSTR_SIDT: VBOXVMM_INSTR_SIDT(pVCpu, pMixedCtx); break;
9701	case DBGFEVENT_INSTR_LGDT: VBOXVMM_INSTR_LGDT(pVCpu, pMixedCtx); break;
9702	case DBGFEVENT_INSTR_LIDT: VBOXVMM_INSTR_LIDT(pVCpu, pMixedCtx); break;
9703	case DBGFEVENT_INSTR_SLDT: VBOXVMM_INSTR_SLDT(pVCpu, pMixedCtx); break;
9704	case DBGFEVENT_INSTR_STR: VBOXVMM_INSTR_STR(pVCpu, pMixedCtx); break;
9705	case DBGFEVENT_INSTR_LLDT: VBOXVMM_INSTR_LLDT(pVCpu, pMixedCtx); break;
9706	case DBGFEVENT_INSTR_LTR: VBOXVMM_INSTR_LTR(pVCpu, pMixedCtx); break;
9707	case DBGFEVENT_INSTR_RDTSCP: VBOXVMM_INSTR_RDTSCP(pVCpu, pMixedCtx); break;
9708	case DBGFEVENT_INSTR_WBINVD: VBOXVMM_INSTR_WBINVD(pVCpu, pMixedCtx); break;
9709	case DBGFEVENT_INSTR_XSETBV: VBOXVMM_INSTR_XSETBV(pVCpu, pMixedCtx); break;
9710	case DBGFEVENT_INSTR_RDRAND: VBOXVMM_INSTR_RDRAND(pVCpu, pMixedCtx); break;
9711	case DBGFEVENT_INSTR_RDSEED: VBOXVMM_INSTR_RDSEED(pVCpu, pMixedCtx); break;
9712	case DBGFEVENT_INSTR_XSAVES: VBOXVMM_INSTR_XSAVES(pVCpu, pMixedCtx); break;
9713	case DBGFEVENT_INSTR_XRSTORS: VBOXVMM_INSTR_XRSTORS(pVCpu, pMixedCtx); break;
9714	case DBGFEVENT_INSTR_VMM_CALL: VBOXVMM_INSTR_VMM_CALL(pVCpu, pMixedCtx); break;
9715	case DBGFEVENT_INSTR_VMX_VMCLEAR: VBOXVMM_INSTR_VMX_VMCLEAR(pVCpu, pMixedCtx); break;
9716	case DBGFEVENT_INSTR_VMX_VMLAUNCH: VBOXVMM_INSTR_VMX_VMLAUNCH(pVCpu, pMixedCtx); break;
9717	case DBGFEVENT_INSTR_VMX_VMPTRLD: VBOXVMM_INSTR_VMX_VMPTRLD(pVCpu, pMixedCtx); break;
9718	case DBGFEVENT_INSTR_VMX_VMPTRST: VBOXVMM_INSTR_VMX_VMPTRST(pVCpu, pMixedCtx); break;
9719	case DBGFEVENT_INSTR_VMX_VMREAD: VBOXVMM_INSTR_VMX_VMREAD(pVCpu, pMixedCtx); break;
9720	case DBGFEVENT_INSTR_VMX_VMRESUME: VBOXVMM_INSTR_VMX_VMRESUME(pVCpu, pMixedCtx); break;
9721	case DBGFEVENT_INSTR_VMX_VMWRITE: VBOXVMM_INSTR_VMX_VMWRITE(pVCpu, pMixedCtx); break;
9722	case DBGFEVENT_INSTR_VMX_VMXOFF: VBOXVMM_INSTR_VMX_VMXOFF(pVCpu, pMixedCtx); break;
9723	case DBGFEVENT_INSTR_VMX_VMXON: VBOXVMM_INSTR_VMX_VMXON(pVCpu, pMixedCtx); break;
9724	case DBGFEVENT_INSTR_VMX_INVEPT: VBOXVMM_INSTR_VMX_INVEPT(pVCpu, pMixedCtx); break;
9725	case DBGFEVENT_INSTR_VMX_INVVPID: VBOXVMM_INSTR_VMX_INVVPID(pVCpu, pMixedCtx); break;
9726	case DBGFEVENT_INSTR_VMX_INVPCID: VBOXVMM_INSTR_VMX_INVPCID(pVCpu, pMixedCtx); break;
9727	case DBGFEVENT_INSTR_VMX_VMFUNC: VBOXVMM_INSTR_VMX_VMFUNC(pVCpu, pMixedCtx); break;
9728	default: AssertMsgFailed(("enmEvent1=%d uExitReason=%d\n", enmEvent1, uExitReason)); break;
9729	}
9730	switch (enmEvent2)
9731	{
9732	/** @todo consider which extra parameters would be helpful for each probe. */
9733	case DBGFEVENT_END: break;
9734	case DBGFEVENT_EXIT_TASK_SWITCH: VBOXVMM_EXIT_TASK_SWITCH(pVCpu, pMixedCtx); break;
9735	case DBGFEVENT_EXIT_CPUID: VBOXVMM_EXIT_CPUID(pVCpu, pMixedCtx, pMixedCtx->eax, pMixedCtx->ecx); break;
9736	case DBGFEVENT_EXIT_GETSEC: VBOXVMM_EXIT_GETSEC(pVCpu, pMixedCtx); break;
9737	case DBGFEVENT_EXIT_HALT: VBOXVMM_EXIT_HALT(pVCpu, pMixedCtx); break;
9738	case DBGFEVENT_EXIT_INVD: VBOXVMM_EXIT_INVD(pVCpu, pMixedCtx); break;
9739	case DBGFEVENT_EXIT_INVLPG: VBOXVMM_EXIT_INVLPG(pVCpu, pMixedCtx); break;
9740	case DBGFEVENT_EXIT_RDPMC: VBOXVMM_EXIT_RDPMC(pVCpu, pMixedCtx); break;
9741	case DBGFEVENT_EXIT_RDTSC: VBOXVMM_EXIT_RDTSC(pVCpu, pMixedCtx); break;
9742	case DBGFEVENT_EXIT_RSM: VBOXVMM_EXIT_RSM(pVCpu, pMixedCtx); break;
9743	case DBGFEVENT_EXIT_CRX_READ: VBOXVMM_EXIT_CRX_READ(pVCpu, pMixedCtx, (uint8_t)uEventArg); break;
9744	case DBGFEVENT_EXIT_CRX_WRITE: VBOXVMM_EXIT_CRX_WRITE(pVCpu, pMixedCtx, (uint8_t)uEventArg); break;
9745	case DBGFEVENT_EXIT_DRX_READ: VBOXVMM_EXIT_DRX_READ(pVCpu, pMixedCtx, (uint8_t)uEventArg); break;
9746	case DBGFEVENT_EXIT_DRX_WRITE: VBOXVMM_EXIT_DRX_WRITE(pVCpu, pMixedCtx, (uint8_t)uEventArg); break;
9747	case DBGFEVENT_EXIT_RDMSR: VBOXVMM_EXIT_RDMSR(pVCpu, pMixedCtx, pMixedCtx->ecx); break;
9748	case DBGFEVENT_EXIT_WRMSR: VBOXVMM_EXIT_WRMSR(pVCpu, pMixedCtx, pMixedCtx->ecx,
9749	RT_MAKE_U64(pMixedCtx->eax, pMixedCtx->edx)); break;
9750	case DBGFEVENT_EXIT_MWAIT: VBOXVMM_EXIT_MWAIT(pVCpu, pMixedCtx); break;
9751	case DBGFEVENT_EXIT_MONITOR: VBOXVMM_EXIT_MONITOR(pVCpu, pMixedCtx); break;
9752	case DBGFEVENT_EXIT_PAUSE: VBOXVMM_EXIT_PAUSE(pVCpu, pMixedCtx); break;
9753	case DBGFEVENT_EXIT_SGDT: VBOXVMM_EXIT_SGDT(pVCpu, pMixedCtx); break;
9754	case DBGFEVENT_EXIT_SIDT: VBOXVMM_EXIT_SIDT(pVCpu, pMixedCtx); break;
9755	case DBGFEVENT_EXIT_LGDT: VBOXVMM_EXIT_LGDT(pVCpu, pMixedCtx); break;
9756	case DBGFEVENT_EXIT_LIDT: VBOXVMM_EXIT_LIDT(pVCpu, pMixedCtx); break;
9757	case DBGFEVENT_EXIT_SLDT: VBOXVMM_EXIT_SLDT(pVCpu, pMixedCtx); break;
9758	case DBGFEVENT_EXIT_STR: VBOXVMM_EXIT_STR(pVCpu, pMixedCtx); break;
9759	case DBGFEVENT_EXIT_LLDT: VBOXVMM_EXIT_LLDT(pVCpu, pMixedCtx); break;
9760	case DBGFEVENT_EXIT_LTR: VBOXVMM_EXIT_LTR(pVCpu, pMixedCtx); break;
9761	case DBGFEVENT_EXIT_RDTSCP: VBOXVMM_EXIT_RDTSCP(pVCpu, pMixedCtx); break;
9762	case DBGFEVENT_EXIT_WBINVD: VBOXVMM_EXIT_WBINVD(pVCpu, pMixedCtx); break;
9763	case DBGFEVENT_EXIT_XSETBV: VBOXVMM_EXIT_XSETBV(pVCpu, pMixedCtx); break;
9764	case DBGFEVENT_EXIT_RDRAND: VBOXVMM_EXIT_RDRAND(pVCpu, pMixedCtx); break;
9765	case DBGFEVENT_EXIT_RDSEED: VBOXVMM_EXIT_RDSEED(pVCpu, pMixedCtx); break;
9766	case DBGFEVENT_EXIT_XSAVES: VBOXVMM_EXIT_XSAVES(pVCpu, pMixedCtx); break;
9767	case DBGFEVENT_EXIT_XRSTORS: VBOXVMM_EXIT_XRSTORS(pVCpu, pMixedCtx); break;
9768	case DBGFEVENT_EXIT_VMM_CALL: VBOXVMM_EXIT_VMM_CALL(pVCpu, pMixedCtx); break;
9769	case DBGFEVENT_EXIT_VMX_VMCLEAR: VBOXVMM_EXIT_VMX_VMCLEAR(pVCpu, pMixedCtx); break;
9770	case DBGFEVENT_EXIT_VMX_VMLAUNCH: VBOXVMM_EXIT_VMX_VMLAUNCH(pVCpu, pMixedCtx); break;
9771	case DBGFEVENT_EXIT_VMX_VMPTRLD: VBOXVMM_EXIT_VMX_VMPTRLD(pVCpu, pMixedCtx); break;
9772	case DBGFEVENT_EXIT_VMX_VMPTRST: VBOXVMM_EXIT_VMX_VMPTRST(pVCpu, pMixedCtx); break;
9773	case DBGFEVENT_EXIT_VMX_VMREAD: VBOXVMM_EXIT_VMX_VMREAD(pVCpu, pMixedCtx); break;
9774	case DBGFEVENT_EXIT_VMX_VMRESUME: VBOXVMM_EXIT_VMX_VMRESUME(pVCpu, pMixedCtx); break;
9775	case DBGFEVENT_EXIT_VMX_VMWRITE: VBOXVMM_EXIT_VMX_VMWRITE(pVCpu, pMixedCtx); break;
9776	case DBGFEVENT_EXIT_VMX_VMXOFF: VBOXVMM_EXIT_VMX_VMXOFF(pVCpu, pMixedCtx); break;
9777	case DBGFEVENT_EXIT_VMX_VMXON: VBOXVMM_EXIT_VMX_VMXON(pVCpu, pMixedCtx); break;
9778	case DBGFEVENT_EXIT_VMX_INVEPT: VBOXVMM_EXIT_VMX_INVEPT(pVCpu, pMixedCtx); break;
9779	case DBGFEVENT_EXIT_VMX_INVVPID: VBOXVMM_EXIT_VMX_INVVPID(pVCpu, pMixedCtx); break;
9780	case DBGFEVENT_EXIT_VMX_INVPCID: VBOXVMM_EXIT_VMX_INVPCID(pVCpu, pMixedCtx); break;
9781	case DBGFEVENT_EXIT_VMX_VMFUNC: VBOXVMM_EXIT_VMX_VMFUNC(pVCpu, pMixedCtx); break;
9782	case DBGFEVENT_EXIT_VMX_EPT_MISCONFIG: VBOXVMM_EXIT_VMX_EPT_MISCONFIG(pVCpu, pMixedCtx); break;
9783	case DBGFEVENT_EXIT_VMX_EPT_VIOLATION: VBOXVMM_EXIT_VMX_EPT_VIOLATION(pVCpu, pMixedCtx); break;
9784	case DBGFEVENT_EXIT_VMX_VAPIC_ACCESS: VBOXVMM_EXIT_VMX_VAPIC_ACCESS(pVCpu, pMixedCtx); break;
9785	case DBGFEVENT_EXIT_VMX_VAPIC_WRITE: VBOXVMM_EXIT_VMX_VAPIC_WRITE(pVCpu, pMixedCtx); break;
9786	default: AssertMsgFailed(("enmEvent2=%d uExitReason=%d\n", enmEvent2, uExitReason)); break;
9787	}
9788	}
9789
9790	/*
9791	* Fire of the DBGF event, if enabled (our check here is just a quick one,
9792	* the DBGF call will do a full check).
9793	*
9794	* Note! DBGF sets DBGFEVENT_INTERRUPT_SOFTWARE in the bitmap.
9795	* Note! If we have to events, we prioritize the first, i.e. the instruction
9796	* one, in order to avoid event nesting.
9797	*/
9798	if ( enmEvent1 != DBGFEVENT_END
9799	&& DBGF_IS_EVENT_ENABLED(pVM, enmEvent1))
9800	{
9801	VBOXSTRICTRC rcStrict = DBGFEventGenericWithArg(pVM, pVCpu, enmEvent1, uEventArg, DBGFEVENTCTX_HM);
9802	if (rcStrict != VINF_SUCCESS)
9803	return rcStrict;
9804	}
9805	else if ( enmEvent2 != DBGFEVENT_END
9806	&& DBGF_IS_EVENT_ENABLED(pVM, enmEvent2))
9807	{
9808	VBOXSTRICTRC rcStrict = DBGFEventGenericWithArg(pVM, pVCpu, enmEvent2, uEventArg, DBGFEVENTCTX_HM);
9809	if (rcStrict != VINF_SUCCESS)
9810	return rcStrict;
9811	}
9812
9813	return VINF_SUCCESS;
9814	}
9815
9816
9817	/**
9818	* Single-stepping VM-exit filtering.
9819	*
9820	* This is preprocessing the exits and deciding whether we've gotten far enough
9821	* to return VINF_EM_DBG_STEPPED already. If not, normal VM-exit handling is
9822	* performed.
9823	*
9824	* @returns Strict VBox status code (i.e. informational status codes too).
9825	* @param pVM The cross context VM structure.
9826	* @param pVCpu The cross context virtual CPU structure of the calling EMT.
9827	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
9828	* out-of-sync. Make sure to update the required
9829	* fields before using them.
9830	* @param pVmxTransient Pointer to the VMX-transient structure.
9831	* @param uExitReason The VM-exit reason.
9832	* @param pDbgState The debug state.
9833	*/
9834	DECLINLINE(VBOXSTRICTRC) hmR0VmxRunDebugHandleExit(PVM pVM, PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient,
9835	uint32_t uExitReason, PVMXRUNDBGSTATE pDbgState)
9836	{
9837	/*
9838	* Expensive (saves context) generic dtrace exit probe.
9839	*/
9840	if (!VBOXVMM_R0_HMVMX_VMEXIT_ENABLED())
9841	{ /* more likely */ }
9842	else
9843	{
9844	hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
9845	hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
9846	VBOXVMM_R0_HMVMX_VMEXIT(pVCpu, pMixedCtx, pVmxTransient->uExitReason, pVmxTransient->uExitQualification);
9847	}
9848
9849	/*
9850	* Check for host NMI, just to get that out of the way.
9851	*/
9852	if (uExitReason != VMX_EXIT_XCPT_OR_NMI)
9853	{ /* normally likely */ }
9854	else
9855	{
9856	int rc2 = hmR0VmxReadExitIntInfoVmcs(pVmxTransient);
9857	AssertRCReturn(rc2, rc2);
9858	uint32_t uIntType = VMX_EXIT_INTERRUPTION_INFO_TYPE(pVmxTransient->uExitIntInfo);
9859	if (uIntType == VMX_EXIT_INTERRUPTION_INFO_TYPE_NMI)
9860	return hmR0VmxExitXcptOrNmi(pVCpu, pMixedCtx, pVmxTransient);
9861	}
9862
9863	/*
9864	* Check for single stepping event if we're stepping.
9865	*/
9866	if (pVCpu->hm.s.fSingleInstruction)
9867	{
9868	switch (uExitReason)
9869	{
9870	case VMX_EXIT_MTF:
9871	return hmR0VmxExitMtf(pVCpu, pMixedCtx, pVmxTransient);
9872
9873	/* Various events: */
9874	case VMX_EXIT_XCPT_OR_NMI:
9875	case VMX_EXIT_EXT_INT:
9876	case VMX_EXIT_TRIPLE_FAULT:
9877	case VMX_EXIT_INT_WINDOW:
9878	case VMX_EXIT_NMI_WINDOW:
9879	case VMX_EXIT_TASK_SWITCH:
9880	case VMX_EXIT_TPR_BELOW_THRESHOLD:
9881	case VMX_EXIT_APIC_ACCESS:
9882	case VMX_EXIT_EPT_VIOLATION:
9883	case VMX_EXIT_EPT_MISCONFIG:
9884	case VMX_EXIT_PREEMPT_TIMER:
9885
9886	/* Instruction specific VM-exits: */
9887	case VMX_EXIT_CPUID:
9888	case VMX_EXIT_GETSEC:
9889	case VMX_EXIT_HLT:
9890	case VMX_EXIT_INVD:
9891	case VMX_EXIT_INVLPG:
9892	case VMX_EXIT_RDPMC:
9893	case VMX_EXIT_RDTSC:
9894	case VMX_EXIT_RSM:
9895	case VMX_EXIT_VMCALL:
9896	case VMX_EXIT_VMCLEAR:
9897	case VMX_EXIT_VMLAUNCH:
9898	case VMX_EXIT_VMPTRLD:
9899	case VMX_EXIT_VMPTRST:
9900	case VMX_EXIT_VMREAD:
9901	case VMX_EXIT_VMRESUME:
9902	case VMX_EXIT_VMWRITE:
9903	case VMX_EXIT_VMXOFF:
9904	case VMX_EXIT_VMXON:
9905	case VMX_EXIT_MOV_CRX:
9906	case VMX_EXIT_MOV_DRX:
9907	case VMX_EXIT_IO_INSTR:
9908	case VMX_EXIT_RDMSR:
9909	case VMX_EXIT_WRMSR:
9910	case VMX_EXIT_MWAIT:
9911	case VMX_EXIT_MONITOR:
9912	case VMX_EXIT_PAUSE:
9913	case VMX_EXIT_XDTR_ACCESS:
9914	case VMX_EXIT_TR_ACCESS:
9915	case VMX_EXIT_INVEPT:
9916	case VMX_EXIT_RDTSCP:
9917	case VMX_EXIT_INVVPID:
9918	case VMX_EXIT_WBINVD:
9919	case VMX_EXIT_XSETBV:
9920	case VMX_EXIT_RDRAND:
9921	case VMX_EXIT_INVPCID:
9922	case VMX_EXIT_VMFUNC:
9923	case VMX_EXIT_RDSEED:
9924	case VMX_EXIT_XSAVES:
9925	case VMX_EXIT_XRSTORS:
9926	{
9927	int rc2 = hmR0VmxSaveGuestRip(pVCpu, pMixedCtx);
9928	rc2 \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
9929	AssertRCReturn(rc2, rc2);
9930	if ( pMixedCtx->rip != pDbgState->uRipStart
9931	\|\| pMixedCtx->cs.Sel != pDbgState->uCsStart)
9932	return VINF_EM_DBG_STEPPED;
9933	break;
9934	}
9935
9936	/* Errors and unexpected events: */
9937	case VMX_EXIT_INIT_SIGNAL:
9938	case VMX_EXIT_SIPI:
9939	case VMX_EXIT_IO_SMI:
9940	case VMX_EXIT_SMI:
9941	case VMX_EXIT_ERR_INVALID_GUEST_STATE:
9942	case VMX_EXIT_ERR_MSR_LOAD:
9943	case VMX_EXIT_ERR_MACHINE_CHECK:
9944	case VMX_EXIT_APIC_WRITE: /* Some talk about this being fault like, so I guess we must process it? */
9945	break;
9946
9947	default:
9948	AssertMsgFailed(("Unexpected exit=%#x\n", uExitReason));
9949	break;
9950	}
9951	}
9952
9953	/*
9954	* Check for debugger event breakpoints and dtrace probes.
9955	*/
9956	if ( uExitReason < RT_ELEMENTS(pDbgState->bmExitsToCheck) * 32U
9957	&& ASMBitTest(pDbgState->bmExitsToCheck, uExitReason) )
9958	{
9959	VBOXSTRICTRC rcStrict = hmR0VmxHandleExitDtraceEvents(pVM, pVCpu, pMixedCtx, pVmxTransient, uExitReason);
9960	if (rcStrict != VINF_SUCCESS)
9961	return rcStrict;
9962	}
9963
9964	/*
9965	* Normal processing.
9966	*/
9967	#ifdef HMVMX_USE_FUNCTION_TABLE
9968	return g_apfnVMExitHandlers[uExitReason](pVCpu, pMixedCtx, pVmxTransient);
9969	#else
9970	return hmR0VmxHandleExit(pVCpu, pMixedCtx, pVmxTransient, uExitReason);
9971	#endif
9972	}
9973
9974
9975	/**
9976	* Single steps guest code using VT-x.
9977	*
9978	* @returns Strict VBox status code (i.e. informational status codes too).
9979	* @param pVM The cross context VM structure.
9980	* @param pVCpu The cross context virtual CPU structure.
9981	* @param pCtx Pointer to the guest-CPU context.
9982	*
9983	* @note Mostly the same as hmR0VmxRunGuestCodeNormal().
9984	*/
9985	static VBOXSTRICTRC hmR0VmxRunGuestCodeDebug(PVM pVM, PVMCPU pVCpu, PCPUMCTX pCtx)
9986	{
9987	VMXTRANSIENT VmxTransient;
9988	VmxTransient.fUpdateTscOffsettingAndPreemptTimer = true;
9989
9990	/* Set HMCPU indicators. */
9991	bool const fSavedSingleInstruction = pVCpu->hm.s.fSingleInstruction;
9992	pVCpu->hm.s.fSingleInstruction = pVCpu->hm.s.fSingleInstruction \|\| DBGFIsStepping(pVCpu);
9993	pVCpu->hm.s.fDebugWantRdTscExit = false;
9994	pVCpu->hm.s.fUsingDebugLoop = true;
9995
9996	/* State we keep to help modify and later restore the VMCS fields we alter, and for detecting steps. */
9997	VMXRUNDBGSTATE DbgState;
9998	hmR0VmxRunDebugStateInit(pVCpu, pCtx, &DbgState);
9999	hmR0VmxPreRunGuestDebugStateUpdate(pVM, pVCpu, pCtx, &DbgState, &VmxTransient);
10000
10001	/*
10002	* The loop.
10003	*/
10004	VBOXSTRICTRC rcStrict = VERR_INTERNAL_ERROR_5;
10005	for (uint32_t cLoops = 0; ; cLoops++)
10006	{
10007	Assert(!HMR0SuspendPending());
10008	HMVMX_ASSERT_CPU_SAFE();
10009	bool fStepping = pVCpu->hm.s.fSingleInstruction;
10010
10011	/*
10012	* Preparatory work for running guest code, this may force us to return
10013	* to ring-3. This bugger disables interrupts on VINF_SUCCESS!
10014	*/
10015	STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatEntry, x);
10016	hmR0VmxPreRunGuestDebugStateApply(pVCpu, &DbgState); /* Set up execute controls the next to can respond to. */
10017	rcStrict = hmR0VmxPreRunGuest(pVM, pVCpu, pCtx, &VmxTransient, fStepping);
10018	if (rcStrict != VINF_SUCCESS)
10019	break;
10020
10021	hmR0VmxPreRunGuestCommitted(pVM, pVCpu, pCtx, &VmxTransient);
10022	hmR0VmxPreRunGuestDebugStateApply(pVCpu, &DbgState); /* Override any obnoxious code in the above two calls. */
10023
10024	/*
10025	* Now we can run the guest code.
10026	*/
10027	int rcRun = hmR0VmxRunGuest(pVM, pVCpu, pCtx);
10028
10029	/* The guest-CPU context is now outdated, 'pCtx' is to be treated as 'pMixedCtx' from this point on!!! */
10030
10031	/*
10032	* Restore any residual host-state and save any bits shared between host
10033	* and guest into the guest-CPU state. Re-enables interrupts!
10034	*/
10035	hmR0VmxPostRunGuest(pVM, pVCpu, pCtx, &VmxTransient, VBOXSTRICTRC_TODO(rcStrict));
10036
10037	/* Check for errors with running the VM (VMLAUNCH/VMRESUME). */
10038	if (RT_SUCCESS(rcRun))
10039	{ /* very likely */ }
10040	else
10041	{
10042	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExit1, x);
10043	hmR0VmxReportWorldSwitchError(pVM, pVCpu, rcRun, pCtx, &VmxTransient);
10044	return rcRun;
10045	}
10046
10047	/* Profile the VM-exit. */
10048	AssertMsg(VmxTransient.uExitReason <= VMX_EXIT_MAX, ("%#x\n", VmxTransient.uExitReason));
10049	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitAll);
10050	STAM_COUNTER_INC(&pVCpu->hm.s.paStatExitReasonR0[VmxTransient.uExitReason & MASK_EXITREASON_STAT]);
10051	STAM_PROFILE_ADV_STOP_START(&pVCpu->hm.s.StatExit1, &pVCpu->hm.s.StatExit2, x);
10052	HMVMX_START_EXIT_DISPATCH_PROF();
10053
10054	VBOXVMM_R0_HMVMX_VMEXIT_NOCTX(pVCpu, pCtx, VmxTransient.uExitReason);
10055
10056	/*
10057	* Handle the VM-exit - we quit earlier on certain VM-exits, see hmR0VmxHandleExitDebug().
10058	*/
10059	rcStrict = hmR0VmxRunDebugHandleExit(pVM, pVCpu, pCtx, &VmxTransient, VmxTransient.uExitReason, &DbgState);
10060	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExit2, x);
10061	if (rcStrict != VINF_SUCCESS)
10062	break;
10063	if (cLoops > pVM->hm.s.cMaxResumeLoops)
10064	{
10065	STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchMaxResumeLoops);
10066	rcStrict = VINF_EM_RAW_INTERRUPT;
10067	break;
10068	}
10069
10070	/*
10071	* Stepping: Did the RIP change, if so, consider it a single step.
10072	* Otherwise, make sure one of the TFs gets set.
10073	*/
10074	if (fStepping)
10075	{
10076	int rc2 = hmR0VmxSaveGuestRip(pVCpu, pCtx);
10077	rc2 \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pCtx);
10078	AssertRCReturn(rc2, rc2);
10079	if ( pCtx->rip != DbgState.uRipStart
10080	\|\| pCtx->cs.Sel != DbgState.uCsStart)
10081	{
10082	rcStrict = VINF_EM_DBG_STEPPED;
10083	break;
10084	}
10085	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_DEBUG);
10086	}
10087
10088	/*
10089	* Update when dtrace settings changes (DBGF kicks us, so no need to check).
10090	*/
10091	if (VBOXVMM_GET_SETTINGS_SEQ_NO() != DbgState.uDtraceSettingsSeqNo)
10092	hmR0VmxPreRunGuestDebugStateUpdate(pVM, pVCpu, pCtx, &DbgState, &VmxTransient);
10093	}
10094
10095	/*
10096	* Clear the X86_EFL_TF if necessary.
10097	*/
10098	if (pVCpu->hm.s.fClearTrapFlag)
10099	{
10100	int rc2 = hmR0VmxSaveGuestRflags(pVCpu, pCtx);
10101	AssertRCReturn(rc2, rc2);
10102	pVCpu->hm.s.fClearTrapFlag = false;
10103	pCtx->eflags.Bits.u1TF = 0;
10104	}
10105	/** @todo there seems to be issues with the resume flag when the monitor trap
10106	* flag is pending without being used. Seen early in bios init when
10107	* accessing APIC page in protected mode. */
10108
10109	/*
10110	* Restore VM-exit control settings as we may not reenter this function the
10111	* next time around.
10112	*/
10113	rcStrict = hmR0VmxRunDebugStateRevert(pVCpu, &DbgState, rcStrict);
10114
10115	/* Restore HMCPU indicators. */
10116	pVCpu->hm.s.fUsingDebugLoop = false;
10117	pVCpu->hm.s.fDebugWantRdTscExit = false;
10118	pVCpu->hm.s.fSingleInstruction = fSavedSingleInstruction;
10119
10120	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatEntry, x);
10121	return rcStrict;
10122	}
10123
10124
10125	/** @} */
10126
10127
10128	/**
10129	* Checks if any expensive dtrace probes are enabled and we should go to the
10130	* debug loop.
10131	*
10132	* @returns true if we should use debug loop, false if not.
10133	*/
10134	static bool hmR0VmxAnyExpensiveProbesEnabled(void)
10135	{
10136	/* It's probably faster to OR the raw 32-bit counter variables together.
10137	Since the variables are in an array and the probes are next to one
10138	another (more or less), we have good locality. So, better read
10139	eight-nine cache lines ever time and only have one conditional, than
10140	128+ conditionals, right? */
10141	return ( VBOXVMM_R0_HMVMX_VMEXIT_ENABLED_RAW() /* expensive too due to context */
10142	\| VBOXVMM_XCPT_DE_ENABLED_RAW()
10143	\| VBOXVMM_XCPT_DB_ENABLED_RAW()
10144	\| VBOXVMM_XCPT_BP_ENABLED_RAW()
10145	\| VBOXVMM_XCPT_OF_ENABLED_RAW()
10146	\| VBOXVMM_XCPT_BR_ENABLED_RAW()
10147	\| VBOXVMM_XCPT_UD_ENABLED_RAW()
10148	\| VBOXVMM_XCPT_NM_ENABLED_RAW()
10149	\| VBOXVMM_XCPT_DF_ENABLED_RAW()
10150	\| VBOXVMM_XCPT_TS_ENABLED_RAW()
10151	\| VBOXVMM_XCPT_NP_ENABLED_RAW()
10152	\| VBOXVMM_XCPT_SS_ENABLED_RAW()
10153	\| VBOXVMM_XCPT_GP_ENABLED_RAW()
10154	\| VBOXVMM_XCPT_PF_ENABLED_RAW()
10155	\| VBOXVMM_XCPT_MF_ENABLED_RAW()
10156	\| VBOXVMM_XCPT_AC_ENABLED_RAW()
10157	\| VBOXVMM_XCPT_XF_ENABLED_RAW()
10158	\| VBOXVMM_XCPT_VE_ENABLED_RAW()
10159	\| VBOXVMM_XCPT_SX_ENABLED_RAW()
10160	\| VBOXVMM_INT_SOFTWARE_ENABLED_RAW()
10161	\| VBOXVMM_INT_HARDWARE_ENABLED_RAW()
10162	) != 0
10163	\|\| ( VBOXVMM_INSTR_HALT_ENABLED_RAW()
10164	\| VBOXVMM_INSTR_MWAIT_ENABLED_RAW()
10165	\| VBOXVMM_INSTR_MONITOR_ENABLED_RAW()
10166	\| VBOXVMM_INSTR_CPUID_ENABLED_RAW()
10167	\| VBOXVMM_INSTR_INVD_ENABLED_RAW()
10168	\| VBOXVMM_INSTR_WBINVD_ENABLED_RAW()
10169	\| VBOXVMM_INSTR_INVLPG_ENABLED_RAW()
10170	\| VBOXVMM_INSTR_RDTSC_ENABLED_RAW()
10171	\| VBOXVMM_INSTR_RDTSCP_ENABLED_RAW()
10172	\| VBOXVMM_INSTR_RDPMC_ENABLED_RAW()
10173	\| VBOXVMM_INSTR_RDMSR_ENABLED_RAW()
10174	\| VBOXVMM_INSTR_WRMSR_ENABLED_RAW()
10175	\| VBOXVMM_INSTR_CRX_READ_ENABLED_RAW()
10176	\| VBOXVMM_INSTR_CRX_WRITE_ENABLED_RAW()
10177	\| VBOXVMM_INSTR_DRX_READ_ENABLED_RAW()
10178	\| VBOXVMM_INSTR_DRX_WRITE_ENABLED_RAW()
10179	\| VBOXVMM_INSTR_PAUSE_ENABLED_RAW()
10180	\| VBOXVMM_INSTR_XSETBV_ENABLED_RAW()
10181	\| VBOXVMM_INSTR_SIDT_ENABLED_RAW()
10182	\| VBOXVMM_INSTR_LIDT_ENABLED_RAW()
10183	\| VBOXVMM_INSTR_SGDT_ENABLED_RAW()
10184	\| VBOXVMM_INSTR_LGDT_ENABLED_RAW()
10185	\| VBOXVMM_INSTR_SLDT_ENABLED_RAW()
10186	\| VBOXVMM_INSTR_LLDT_ENABLED_RAW()
10187	\| VBOXVMM_INSTR_STR_ENABLED_RAW()
10188	\| VBOXVMM_INSTR_LTR_ENABLED_RAW()
10189	\| VBOXVMM_INSTR_GETSEC_ENABLED_RAW()
10190	\| VBOXVMM_INSTR_RSM_ENABLED_RAW()
10191	\| VBOXVMM_INSTR_RDRAND_ENABLED_RAW()
10192	\| VBOXVMM_INSTR_RDSEED_ENABLED_RAW()
10193	\| VBOXVMM_INSTR_XSAVES_ENABLED_RAW()
10194	\| VBOXVMM_INSTR_XRSTORS_ENABLED_RAW()
10195	\| VBOXVMM_INSTR_VMM_CALL_ENABLED_RAW()
10196	\| VBOXVMM_INSTR_VMX_VMCLEAR_ENABLED_RAW()
10197	\| VBOXVMM_INSTR_VMX_VMLAUNCH_ENABLED_RAW()
10198	\| VBOXVMM_INSTR_VMX_VMPTRLD_ENABLED_RAW()
10199	\| VBOXVMM_INSTR_VMX_VMPTRST_ENABLED_RAW()
10200	\| VBOXVMM_INSTR_VMX_VMREAD_ENABLED_RAW()
10201	\| VBOXVMM_INSTR_VMX_VMRESUME_ENABLED_RAW()
10202	\| VBOXVMM_INSTR_VMX_VMWRITE_ENABLED_RAW()
10203	\| VBOXVMM_INSTR_VMX_VMXOFF_ENABLED_RAW()
10204	\| VBOXVMM_INSTR_VMX_VMXON_ENABLED_RAW()
10205	\| VBOXVMM_INSTR_VMX_VMFUNC_ENABLED_RAW()
10206	\| VBOXVMM_INSTR_VMX_INVEPT_ENABLED_RAW()
10207	\| VBOXVMM_INSTR_VMX_INVVPID_ENABLED_RAW()
10208	\| VBOXVMM_INSTR_VMX_INVPCID_ENABLED_RAW()
10209	) != 0
10210	\|\| ( VBOXVMM_EXIT_TASK_SWITCH_ENABLED_RAW()
10211	\| VBOXVMM_EXIT_HALT_ENABLED_RAW()
10212	\| VBOXVMM_EXIT_MWAIT_ENABLED_RAW()
10213	\| VBOXVMM_EXIT_MONITOR_ENABLED_RAW()
10214	\| VBOXVMM_EXIT_CPUID_ENABLED_RAW()
10215	\| VBOXVMM_EXIT_INVD_ENABLED_RAW()
10216	\| VBOXVMM_EXIT_WBINVD_ENABLED_RAW()
10217	\| VBOXVMM_EXIT_INVLPG_ENABLED_RAW()
10218	\| VBOXVMM_EXIT_RDTSC_ENABLED_RAW()
10219	\| VBOXVMM_EXIT_RDTSCP_ENABLED_RAW()
10220	\| VBOXVMM_EXIT_RDPMC_ENABLED_RAW()
10221	\| VBOXVMM_EXIT_RDMSR_ENABLED_RAW()
10222	\| VBOXVMM_EXIT_WRMSR_ENABLED_RAW()
10223	\| VBOXVMM_EXIT_CRX_READ_ENABLED_RAW()
10224	\| VBOXVMM_EXIT_CRX_WRITE_ENABLED_RAW()
10225	\| VBOXVMM_EXIT_DRX_READ_ENABLED_RAW()
10226	\| VBOXVMM_EXIT_DRX_WRITE_ENABLED_RAW()
10227	\| VBOXVMM_EXIT_PAUSE_ENABLED_RAW()
10228	\| VBOXVMM_EXIT_XSETBV_ENABLED_RAW()
10229	\| VBOXVMM_EXIT_SIDT_ENABLED_RAW()
10230	\| VBOXVMM_EXIT_LIDT_ENABLED_RAW()
10231	\| VBOXVMM_EXIT_SGDT_ENABLED_RAW()
10232	\| VBOXVMM_EXIT_LGDT_ENABLED_RAW()
10233	\| VBOXVMM_EXIT_SLDT_ENABLED_RAW()
10234	\| VBOXVMM_EXIT_LLDT_ENABLED_RAW()
10235	\| VBOXVMM_EXIT_STR_ENABLED_RAW()
10236	\| VBOXVMM_EXIT_LTR_ENABLED_RAW()
10237	\| VBOXVMM_EXIT_GETSEC_ENABLED_RAW()
10238	\| VBOXVMM_EXIT_RSM_ENABLED_RAW()
10239	\| VBOXVMM_EXIT_RDRAND_ENABLED_RAW()
10240	\| VBOXVMM_EXIT_RDSEED_ENABLED_RAW()
10241	\| VBOXVMM_EXIT_XSAVES_ENABLED_RAW()
10242	\| VBOXVMM_EXIT_XRSTORS_ENABLED_RAW()
10243	\| VBOXVMM_EXIT_VMM_CALL_ENABLED_RAW()
10244	\| VBOXVMM_EXIT_VMX_VMCLEAR_ENABLED_RAW()
10245	\| VBOXVMM_EXIT_VMX_VMLAUNCH_ENABLED_RAW()
10246	\| VBOXVMM_EXIT_VMX_VMPTRLD_ENABLED_RAW()
10247	\| VBOXVMM_EXIT_VMX_VMPTRST_ENABLED_RAW()
10248	\| VBOXVMM_EXIT_VMX_VMREAD_ENABLED_RAW()
10249	\| VBOXVMM_EXIT_VMX_VMRESUME_ENABLED_RAW()
10250	\| VBOXVMM_EXIT_VMX_VMWRITE_ENABLED_RAW()
10251	\| VBOXVMM_EXIT_VMX_VMXOFF_ENABLED_RAW()
10252	\| VBOXVMM_EXIT_VMX_VMXON_ENABLED_RAW()
10253	\| VBOXVMM_EXIT_VMX_VMFUNC_ENABLED_RAW()
10254	\| VBOXVMM_EXIT_VMX_INVEPT_ENABLED_RAW()
10255	\| VBOXVMM_EXIT_VMX_INVVPID_ENABLED_RAW()
10256	\| VBOXVMM_EXIT_VMX_INVPCID_ENABLED_RAW()
10257	\| VBOXVMM_EXIT_VMX_EPT_VIOLATION_ENABLED_RAW()
10258	\| VBOXVMM_EXIT_VMX_EPT_MISCONFIG_ENABLED_RAW()
10259	\| VBOXVMM_EXIT_VMX_VAPIC_ACCESS_ENABLED_RAW()
10260	\| VBOXVMM_EXIT_VMX_VAPIC_WRITE_ENABLED_RAW()
10261	) != 0;
10262	}
10263
10264
10265	/**
10266	* Runs the guest code using VT-x.
10267	*
10268	* @returns Strict VBox status code (i.e. informational status codes too).
10269	* @param pVM The cross context VM structure.
10270	* @param pVCpu The cross context virtual CPU structure.
10271	* @param pCtx Pointer to the guest-CPU context.
10272	*/
10273	VMMR0DECL(VBOXSTRICTRC) VMXR0RunGuestCode(PVM pVM, PVMCPU pVCpu, PCPUMCTX pCtx)
10274	{
10275	Assert(VMMRZCallRing3IsEnabled(pVCpu));
10276	Assert(HMVMXCPU_GST_VALUE(pVCpu) == HMVMX_UPDATED_GUEST_ALL);
10277	HMVMX_ASSERT_PREEMPT_SAFE();
10278
10279	VMMRZCallRing3SetNotification(pVCpu, hmR0VmxCallRing3Callback, pCtx);
10280
10281	VBOXSTRICTRC rcStrict;
10282	if ( !pVCpu->hm.s.fUseDebugLoop
10283	&& (!VBOXVMM_ANY_PROBES_ENABLED() \|\| !hmR0VmxAnyExpensiveProbesEnabled())
10284	&& !DBGFIsStepping(pVCpu) )
10285	rcStrict = hmR0VmxRunGuestCodeNormal(pVM, pVCpu, pCtx);
10286	else
10287	rcStrict = hmR0VmxRunGuestCodeDebug(pVM, pVCpu, pCtx);
10288
10289	if (rcStrict == VERR_EM_INTERPRETER)
10290	rcStrict = VINF_EM_RAW_EMULATE_INSTR;
10291	else if (rcStrict == VINF_EM_RESET)
10292	rcStrict = VINF_EM_TRIPLE_FAULT;
10293
10294	int rc2 = hmR0VmxExitToRing3(pVM, pVCpu, pCtx, rcStrict);
10295	if (RT_FAILURE(rc2))
10296	{
10297	pVCpu->hm.s.u32HMError = (uint32_t)VBOXSTRICTRC_VAL(rcStrict);
10298	rcStrict = rc2;
10299	}
10300	Assert(!VMMRZCallRing3IsNotificationSet(pVCpu));
10301	return rcStrict;
10302	}
10303
10304
10305	#ifndef HMVMX_USE_FUNCTION_TABLE
10306	DECLINLINE(VBOXSTRICTRC) hmR0VmxHandleExit(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient, uint32_t rcReason)
10307	{
10308	# ifdef DEBUG_ramshankar
10309	# define RETURN_EXIT_CALL(a_CallExpr) \
10310	do { \
10311	int rc2 = hmR0VmxSaveGuestState(pVCpu, pMixedCtx); AssertRC(rc2); \
10312	VBOXSTRICTRC rcStrict = a_CallExpr; \
10313	HMCPU_CF_SET(pVCpu, HM_CHANGED_ALL_GUEST); \
10314	return rcStrict; \
10315	} while (0)
10316	# else
10317	# define RETURN_EXIT_CALL(a_CallExpr) return a_CallExpr
10318	# endif
10319	switch (rcReason)
10320	{
10321	case VMX_EXIT_EPT_MISCONFIG: RETURN_EXIT_CALL(hmR0VmxExitEptMisconfig(pVCpu, pMixedCtx, pVmxTransient));
10322	case VMX_EXIT_EPT_VIOLATION: RETURN_EXIT_CALL(hmR0VmxExitEptViolation(pVCpu, pMixedCtx, pVmxTransient));
10323	case VMX_EXIT_IO_INSTR: RETURN_EXIT_CALL(hmR0VmxExitIoInstr(pVCpu, pMixedCtx, pVmxTransient));
10324	case VMX_EXIT_CPUID: RETURN_EXIT_CALL(hmR0VmxExitCpuid(pVCpu, pMixedCtx, pVmxTransient));
10325	case VMX_EXIT_RDTSC: RETURN_EXIT_CALL(hmR0VmxExitRdtsc(pVCpu, pMixedCtx, pVmxTransient));
10326	case VMX_EXIT_RDTSCP: RETURN_EXIT_CALL(hmR0VmxExitRdtscp(pVCpu, pMixedCtx, pVmxTransient));
10327	case VMX_EXIT_APIC_ACCESS: RETURN_EXIT_CALL(hmR0VmxExitApicAccess(pVCpu, pMixedCtx, pVmxTransient));
10328	case VMX_EXIT_XCPT_OR_NMI: RETURN_EXIT_CALL(hmR0VmxExitXcptOrNmi(pVCpu, pMixedCtx, pVmxTransient));
10329	case VMX_EXIT_MOV_CRX: RETURN_EXIT_CALL(hmR0VmxExitMovCRx(pVCpu, pMixedCtx, pVmxTransient));
10330	case VMX_EXIT_EXT_INT: RETURN_EXIT_CALL(hmR0VmxExitExtInt(pVCpu, pMixedCtx, pVmxTransient));
10331	case VMX_EXIT_INT_WINDOW: RETURN_EXIT_CALL(hmR0VmxExitIntWindow(pVCpu, pMixedCtx, pVmxTransient));
10332	case VMX_EXIT_MWAIT: RETURN_EXIT_CALL(hmR0VmxExitMwait(pVCpu, pMixedCtx, pVmxTransient));
10333	case VMX_EXIT_MONITOR: RETURN_EXIT_CALL(hmR0VmxExitMonitor(pVCpu, pMixedCtx, pVmxTransient));
10334	case VMX_EXIT_TASK_SWITCH: RETURN_EXIT_CALL(hmR0VmxExitTaskSwitch(pVCpu, pMixedCtx, pVmxTransient));
10335	case VMX_EXIT_PREEMPT_TIMER: RETURN_EXIT_CALL(hmR0VmxExitPreemptTimer(pVCpu, pMixedCtx, pVmxTransient));
10336	case VMX_EXIT_RDMSR: RETURN_EXIT_CALL(hmR0VmxExitRdmsr(pVCpu, pMixedCtx, pVmxTransient));
10337	case VMX_EXIT_WRMSR: RETURN_EXIT_CALL(hmR0VmxExitWrmsr(pVCpu, pMixedCtx, pVmxTransient));
10338	case VMX_EXIT_MOV_DRX: RETURN_EXIT_CALL(hmR0VmxExitMovDRx(pVCpu, pMixedCtx, pVmxTransient));
10339	case VMX_EXIT_TPR_BELOW_THRESHOLD: RETURN_EXIT_CALL(hmR0VmxExitTprBelowThreshold(pVCpu, pMixedCtx, pVmxTransient));
10340	case VMX_EXIT_HLT: RETURN_EXIT_CALL(hmR0VmxExitHlt(pVCpu, pMixedCtx, pVmxTransient));
10341	case VMX_EXIT_INVD: RETURN_EXIT_CALL(hmR0VmxExitInvd(pVCpu, pMixedCtx, pVmxTransient));
10342	case VMX_EXIT_INVLPG: RETURN_EXIT_CALL(hmR0VmxExitInvlpg(pVCpu, pMixedCtx, pVmxTransient));
10343	case VMX_EXIT_RSM: RETURN_EXIT_CALL(hmR0VmxExitRsm(pVCpu, pMixedCtx, pVmxTransient));
10344	case VMX_EXIT_MTF: RETURN_EXIT_CALL(hmR0VmxExitMtf(pVCpu, pMixedCtx, pVmxTransient));
10345	case VMX_EXIT_PAUSE: RETURN_EXIT_CALL(hmR0VmxExitPause(pVCpu, pMixedCtx, pVmxTransient));
10346	case VMX_EXIT_XDTR_ACCESS: RETURN_EXIT_CALL(hmR0VmxExitXdtrAccess(pVCpu, pMixedCtx, pVmxTransient));
10347	case VMX_EXIT_TR_ACCESS: RETURN_EXIT_CALL(hmR0VmxExitXdtrAccess(pVCpu, pMixedCtx, pVmxTransient));
10348	case VMX_EXIT_WBINVD: RETURN_EXIT_CALL(hmR0VmxExitWbinvd(pVCpu, pMixedCtx, pVmxTransient));
10349	case VMX_EXIT_XSETBV: RETURN_EXIT_CALL(hmR0VmxExitXsetbv(pVCpu, pMixedCtx, pVmxTransient));
10350	case VMX_EXIT_RDRAND: RETURN_EXIT_CALL(hmR0VmxExitRdrand(pVCpu, pMixedCtx, pVmxTransient));
10351	case VMX_EXIT_INVPCID: RETURN_EXIT_CALL(hmR0VmxExitInvpcid(pVCpu, pMixedCtx, pVmxTransient));
10352	case VMX_EXIT_GETSEC: RETURN_EXIT_CALL(hmR0VmxExitGetsec(pVCpu, pMixedCtx, pVmxTransient));
10353	case VMX_EXIT_RDPMC: RETURN_EXIT_CALL(hmR0VmxExitRdpmc(pVCpu, pMixedCtx, pVmxTransient));
10354	case VMX_EXIT_VMCALL: RETURN_EXIT_CALL(hmR0VmxExitVmcall(pVCpu, pMixedCtx, pVmxTransient));
10355
10356	case VMX_EXIT_TRIPLE_FAULT: return hmR0VmxExitTripleFault(pVCpu, pMixedCtx, pVmxTransient);
10357	case VMX_EXIT_NMI_WINDOW: return hmR0VmxExitNmiWindow(pVCpu, pMixedCtx, pVmxTransient);
10358	case VMX_EXIT_INIT_SIGNAL: return hmR0VmxExitInitSignal(pVCpu, pMixedCtx, pVmxTransient);
10359	case VMX_EXIT_SIPI: return hmR0VmxExitSipi(pVCpu, pMixedCtx, pVmxTransient);
10360	case VMX_EXIT_IO_SMI: return hmR0VmxExitIoSmi(pVCpu, pMixedCtx, pVmxTransient);
10361	case VMX_EXIT_SMI: return hmR0VmxExitSmi(pVCpu, pMixedCtx, pVmxTransient);
10362	case VMX_EXIT_ERR_MSR_LOAD: return hmR0VmxExitErrMsrLoad(pVCpu, pMixedCtx, pVmxTransient);
10363	case VMX_EXIT_ERR_INVALID_GUEST_STATE: return hmR0VmxExitErrInvalidGuestState(pVCpu, pMixedCtx, pVmxTransient);
10364	case VMX_EXIT_ERR_MACHINE_CHECK: return hmR0VmxExitErrMachineCheck(pVCpu, pMixedCtx, pVmxTransient);
10365
10366	case VMX_EXIT_VMCLEAR:
10367	case VMX_EXIT_VMLAUNCH:
10368	case VMX_EXIT_VMPTRLD:
10369	case VMX_EXIT_VMPTRST:
10370	case VMX_EXIT_VMREAD:
10371	case VMX_EXIT_VMRESUME:
10372	case VMX_EXIT_VMWRITE:
10373	case VMX_EXIT_VMXOFF:
10374	case VMX_EXIT_VMXON:
10375	case VMX_EXIT_INVEPT:
10376	case VMX_EXIT_INVVPID:
10377	case VMX_EXIT_VMFUNC:
10378	case VMX_EXIT_XSAVES:
10379	case VMX_EXIT_XRSTORS:
10380	return hmR0VmxExitSetPendingXcptUD(pVCpu, pMixedCtx, pVmxTransient);
10381	case VMX_EXIT_RESERVED_60:
10382	case VMX_EXIT_RDSEED: /* only spurious exits, so undefined */
10383	case VMX_EXIT_RESERVED_62:
10384	default:
10385	return hmR0VmxExitErrUndefined(pVCpu, pMixedCtx, pVmxTransient);
10386	}
10387	#undef RETURN_EXIT_CALL
10388	}
10389	#endif /* !HMVMX_USE_FUNCTION_TABLE */
10390
10391
10392	#ifdef VBOX_STRICT
10393	/* Is there some generic IPRT define for this that are not in Runtime/internal/\* ?? */
10394	# define HMVMX_ASSERT_PREEMPT_CPUID_VAR() \
10395	RTCPUID const idAssertCpu = RTThreadPreemptIsEnabled(NIL_RTTHREAD) ? NIL_RTCPUID : RTMpCpuId()
10396
10397	# define HMVMX_ASSERT_PREEMPT_CPUID() \
10398	do { \
10399	RTCPUID const idAssertCpuNow = RTThreadPreemptIsEnabled(NIL_RTTHREAD) ? NIL_RTCPUID : RTMpCpuId(); \
10400	AssertMsg(idAssertCpu == idAssertCpuNow, ("VMX %#x, %#x\n", idAssertCpu, idAssertCpuNow)); \
10401	} while (0)
10402
10403	# define HMVMX_VALIDATE_EXIT_HANDLER_PARAMS() \
10404	do { \
10405	AssertPtr(pVCpu); \
10406	AssertPtr(pMixedCtx); \
10407	AssertPtr(pVmxTransient); \
10408	Assert(pVmxTransient->fVMEntryFailed == false); \
10409	Assert(ASMIntAreEnabled()); \
10410	HMVMX_ASSERT_PREEMPT_SAFE(); \
10411	HMVMX_ASSERT_PREEMPT_CPUID_VAR(); \
10412	Log4Func(("vcpu[%RU32] -v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v\n", pVCpu->idCpu)); \
10413	HMVMX_ASSERT_PREEMPT_SAFE(); \
10414	if (VMMR0IsLogFlushDisabled(pVCpu)) \
10415	HMVMX_ASSERT_PREEMPT_CPUID(); \
10416	HMVMX_STOP_EXIT_DISPATCH_PROF(); \
10417	} while (0)
10418
10419	# define HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS() \
10420	do { \
10421	Log4Func(("\n")); \
10422	} while (0)
10423	#else /* nonstrict builds: */
10424	# define HMVMX_VALIDATE_EXIT_HANDLER_PARAMS() \
10425	do { \
10426	HMVMX_STOP_EXIT_DISPATCH_PROF(); \
10427	NOREF(pVCpu); NOREF(pMixedCtx); NOREF(pVmxTransient); \
10428	} while (0)
10429	# define HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS() do { } while (0)
10430	#endif
10431
10432
10433	/**
10434	* Advances the guest RIP by the specified number of bytes.
10435	*
10436	* @param pVCpu The cross context virtual CPU structure.
10437	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
10438	* out-of-sync. Make sure to update the required fields
10439	* before using them.
10440	* @param cbInstr Number of bytes to advance the RIP by.
10441	*
10442	* @remarks No-long-jump zone!!!
10443	*/
10444	DECLINLINE(void) hmR0VmxAdvanceGuestRipBy(PVMCPU pVCpu, PCPUMCTX pMixedCtx, uint32_t cbInstr)
10445	{
10446	/* Advance the RIP. */
10447	pMixedCtx->rip += cbInstr;
10448	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP);
10449
10450	/* Update interrupt inhibition. */
10451	if ( VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_INHIBIT_INTERRUPTS)
10452	&& pMixedCtx->rip != EMGetInhibitInterruptsPC(pVCpu))
10453	VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_INHIBIT_INTERRUPTS);
10454	}
10455
10456
10457	/**
10458	* Advances the guest RIP after reading it from the VMCS.
10459	*
10460	* @returns VBox status code, no informational status codes.
10461	* @param pVCpu The cross context virtual CPU structure.
10462	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
10463	* out-of-sync. Make sure to update the required fields
10464	* before using them.
10465	* @param pVmxTransient Pointer to the VMX transient structure.
10466	*
10467	* @remarks No-long-jump zone!!!
10468	*/
10469	static int hmR0VmxAdvanceGuestRip(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10470	{
10471	int rc = hmR0VmxReadExitInstrLenVmcs(pVmxTransient);
10472	rc \|= hmR0VmxSaveGuestRip(pVCpu, pMixedCtx);
10473	rc \|= hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx);
10474	AssertRCReturn(rc, rc);
10475
10476	hmR0VmxAdvanceGuestRipBy(pVCpu, pMixedCtx, pVmxTransient->cbInstr);
10477
10478	/*
10479	* Deliver a debug exception to the guest if it is single-stepping. Don't directly inject a #DB but use the
10480	* pending debug exception field as it takes care of priority of events.
10481	*
10482	* See Intel spec. 32.2.1 "Debug Exceptions".
10483	*/
10484	if ( !pVCpu->hm.s.fSingleInstruction
10485	&& pMixedCtx->eflags.Bits.u1TF)
10486	hmR0VmxSetPendingDebugXcptVmcs(pVCpu);
10487
10488	return VINF_SUCCESS;
10489	}
10490
10491
10492	/**
10493	* Tries to determine what part of the guest-state VT-x has deemed as invalid
10494	* and update error record fields accordingly.
10495	*
10496	* @return VMX_IGS_* return codes.
10497	* @retval VMX_IGS_REASON_NOT_FOUND if this function could not find anything
10498	* wrong with the guest state.
10499	*
10500	* @param pVM The cross context VM structure.
10501	* @param pVCpu The cross context virtual CPU structure.
10502	* @param pCtx Pointer to the guest-CPU state.
10503	*
10504	* @remarks This function assumes our cache of the VMCS controls
10505	* are valid, i.e. hmR0VmxCheckVmcsCtls() succeeded.
10506	*/
10507	static uint32_t hmR0VmxCheckGuestState(PVM pVM, PVMCPU pVCpu, PCPUMCTX pCtx)
10508	{
10509	#define HMVMX_ERROR_BREAK(err) { uError = (err); break; }
10510	#define HMVMX_CHECK_BREAK(expr, err) if (!(expr)) { \
10511	uError = (err); \
10512	break; \
10513	} else do { } while (0)
10514
10515	int rc;
10516	uint32_t uError = VMX_IGS_ERROR;
10517	uint32_t u32Val;
10518	bool fUnrestrictedGuest = pVM->hm.s.vmx.fUnrestrictedGuest;
10519
10520	do
10521	{
10522	/*
10523	* CR0.
10524	*/
10525	uint32_t uSetCR0 = (uint32_t)(pVM->hm.s.vmx.Msrs.u64Cr0Fixed0 & pVM->hm.s.vmx.Msrs.u64Cr0Fixed1);
10526	uint32_t uZapCR0 = (uint32_t)(pVM->hm.s.vmx.Msrs.u64Cr0Fixed0 \| pVM->hm.s.vmx.Msrs.u64Cr0Fixed1);
10527	/* Exceptions for unrestricted-guests for fixed CR0 bits (PE, PG).
10528	See Intel spec. 26.3.1 "Checks on Guest Control Registers, Debug Registers and MSRs." */
10529	if (fUnrestrictedGuest)
10530	uSetCR0 &= ~(X86_CR0_PE \| X86_CR0_PG);
10531
10532	uint32_t u32GuestCR0;
10533	rc = VMXReadVmcs32(VMX_VMCS_GUEST_CR0, &u32GuestCR0);
10534	AssertRCBreak(rc);
10535	HMVMX_CHECK_BREAK((u32GuestCR0 & uSetCR0) == uSetCR0, VMX_IGS_CR0_FIXED1);
10536	HMVMX_CHECK_BREAK(!(u32GuestCR0 & ~uZapCR0), VMX_IGS_CR0_FIXED0);
10537	if ( !fUnrestrictedGuest
10538	&& (u32GuestCR0 & X86_CR0_PG)
10539	&& !(u32GuestCR0 & X86_CR0_PE))
10540	{
10541	HMVMX_ERROR_BREAK(VMX_IGS_CR0_PG_PE_COMBO);
10542	}
10543
10544	/*
10545	* CR4.
10546	*/
10547	uint64_t uSetCR4 = (pVM->hm.s.vmx.Msrs.u64Cr4Fixed0 & pVM->hm.s.vmx.Msrs.u64Cr4Fixed1);
10548	uint64_t uZapCR4 = (pVM->hm.s.vmx.Msrs.u64Cr4Fixed0 \| pVM->hm.s.vmx.Msrs.u64Cr4Fixed1);
10549
10550	uint32_t u32GuestCR4;
10551	rc = VMXReadVmcs32(VMX_VMCS_GUEST_CR4, &u32GuestCR4);
10552	AssertRCBreak(rc);
10553	HMVMX_CHECK_BREAK((u32GuestCR4 & uSetCR4) == uSetCR4, VMX_IGS_CR4_FIXED1);
10554	HMVMX_CHECK_BREAK(!(u32GuestCR4 & ~uZapCR4), VMX_IGS_CR4_FIXED0);
10555
10556	/*
10557	* IA32_DEBUGCTL MSR.
10558	*/
10559	uint64_t u64Val;
10560	rc = VMXReadVmcs64(VMX_VMCS64_GUEST_DEBUGCTL_FULL, &u64Val);
10561	AssertRCBreak(rc);
10562	if ( (pVCpu->hm.s.vmx.u32EntryCtls & VMX_VMCS_CTRL_ENTRY_LOAD_DEBUG)
10563	&& (u64Val & 0xfffffe3c)) /* Bits 31:9, bits 5:2 MBZ. */
10564	{
10565	HMVMX_ERROR_BREAK(VMX_IGS_DEBUGCTL_MSR_RESERVED);
10566	}
10567	uint64_t u64DebugCtlMsr = u64Val;
10568
10569	#ifdef VBOX_STRICT
10570	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_ENTRY, &u32Val);
10571	AssertRCBreak(rc);
10572	Assert(u32Val == pVCpu->hm.s.vmx.u32EntryCtls);
10573	#endif
10574	bool const fLongModeGuest = RT_BOOL(pVCpu->hm.s.vmx.u32EntryCtls & VMX_VMCS_CTRL_ENTRY_IA32E_MODE_GUEST);
10575
10576	/*
10577	* RIP and RFLAGS.
10578	*/
10579	uint32_t u32Eflags;
10580	#if HC_ARCH_BITS == 64
10581	rc = VMXReadVmcs64(VMX_VMCS_GUEST_RIP, &u64Val);
10582	AssertRCBreak(rc);
10583	/* pCtx->rip can be different than the one in the VMCS (e.g. run guest code and VM-exits that don't update it). */
10584	if ( !fLongModeGuest
10585	\|\| !pCtx->cs.Attr.n.u1Long)
10586	{
10587	HMVMX_CHECK_BREAK(!(u64Val & UINT64_C(0xffffffff00000000)), VMX_IGS_LONGMODE_RIP_INVALID);
10588	}
10589	/** @todo If the processor supports N < 64 linear-address bits, bits 63:N
10590	* must be identical if the "IA-32e mode guest" VM-entry
10591	* control is 1 and CS.L is 1. No check applies if the
10592	* CPU supports 64 linear-address bits. */
10593
10594	/* Flags in pCtx can be different (real-on-v86 for instance). We are only concerned about the VMCS contents here. */
10595	rc = VMXReadVmcs64(VMX_VMCS_GUEST_RFLAGS, &u64Val);
10596	AssertRCBreak(rc);
10597	HMVMX_CHECK_BREAK(!(u64Val & UINT64_C(0xffffffffffc08028)), /* Bit 63:22, Bit 15, 5, 3 MBZ. */
10598	VMX_IGS_RFLAGS_RESERVED);
10599	HMVMX_CHECK_BREAK((u64Val & X86_EFL_RA1_MASK), VMX_IGS_RFLAGS_RESERVED1); /* Bit 1 MB1. */
10600	u32Eflags = u64Val;
10601	#else
10602	rc = VMXReadVmcs32(VMX_VMCS_GUEST_RFLAGS, &u32Eflags);
10603	AssertRCBreak(rc);
10604	HMVMX_CHECK_BREAK(!(u32Eflags & 0xffc08028), VMX_IGS_RFLAGS_RESERVED); /* Bit 31:22, Bit 15, 5, 3 MBZ. */
10605	HMVMX_CHECK_BREAK((u32Eflags & X86_EFL_RA1_MASK), VMX_IGS_RFLAGS_RESERVED1); /* Bit 1 MB1. */
10606	#endif
10607
10608	if ( fLongModeGuest
10609	\|\| ( fUnrestrictedGuest
10610	&& !(u32GuestCR0 & X86_CR0_PE)))
10611	{
10612	HMVMX_CHECK_BREAK(!(u32Eflags & X86_EFL_VM), VMX_IGS_RFLAGS_VM_INVALID);
10613	}
10614
10615	uint32_t u32EntryInfo;
10616	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_ENTRY_INTERRUPTION_INFO, &u32EntryInfo);
10617	AssertRCBreak(rc);
10618	if ( VMX_ENTRY_INTERRUPTION_INFO_IS_VALID(u32EntryInfo)
10619	&& VMX_ENTRY_INTERRUPTION_INFO_TYPE(u32EntryInfo) == VMX_EXIT_INTERRUPTION_INFO_TYPE_EXT_INT)
10620	{
10621	HMVMX_CHECK_BREAK(u32Eflags & X86_EFL_IF, VMX_IGS_RFLAGS_IF_INVALID);
10622	}
10623
10624	/*
10625	* 64-bit checks.
10626	*/
10627	#if HC_ARCH_BITS == 64
10628	if (fLongModeGuest)
10629	{
10630	HMVMX_CHECK_BREAK(u32GuestCR0 & X86_CR0_PG, VMX_IGS_CR0_PG_LONGMODE);
10631	HMVMX_CHECK_BREAK(u32GuestCR4 & X86_CR4_PAE, VMX_IGS_CR4_PAE_LONGMODE);
10632	}
10633
10634	if ( !fLongModeGuest
10635	&& (u32GuestCR4 & X86_CR4_PCIDE))
10636	{
10637	HMVMX_ERROR_BREAK(VMX_IGS_CR4_PCIDE);
10638	}
10639
10640	/** @todo CR3 field must be such that bits 63:52 and bits in the range
10641	* 51:32 beyond the processor's physical-address width are 0. */
10642
10643	if ( (pVCpu->hm.s.vmx.u32EntryCtls & VMX_VMCS_CTRL_ENTRY_LOAD_DEBUG)
10644	&& (pCtx->dr[7] & X86_DR7_MBZ_MASK))
10645	{
10646	HMVMX_ERROR_BREAK(VMX_IGS_DR7_RESERVED);
10647	}
10648
10649	rc = VMXReadVmcs64(VMX_VMCS_HOST_SYSENTER_ESP, &u64Val);
10650	AssertRCBreak(rc);
10651	HMVMX_CHECK_BREAK(X86_IS_CANONICAL(u64Val), VMX_IGS_SYSENTER_ESP_NOT_CANONICAL);
10652
10653	rc = VMXReadVmcs64(VMX_VMCS_HOST_SYSENTER_EIP, &u64Val);
10654	AssertRCBreak(rc);
10655	HMVMX_CHECK_BREAK(X86_IS_CANONICAL(u64Val), VMX_IGS_SYSENTER_EIP_NOT_CANONICAL);
10656	#endif
10657
10658	/*
10659	* PERF_GLOBAL MSR.
10660	*/
10661	if (pVCpu->hm.s.vmx.u32EntryCtls & VMX_VMCS_CTRL_ENTRY_LOAD_GUEST_PERF_MSR)
10662	{
10663	rc = VMXReadVmcs64(VMX_VMCS64_GUEST_PERF_GLOBAL_CTRL_FULL, &u64Val);
10664	AssertRCBreak(rc);
10665	HMVMX_CHECK_BREAK(!(u64Val & UINT64_C(0xfffffff8fffffffc)),
10666	VMX_IGS_PERF_GLOBAL_MSR_RESERVED); /* Bits 63:35, bits 31:2 MBZ. */
10667	}
10668
10669	/*
10670	* PAT MSR.
10671	*/
10672	if (pVCpu->hm.s.vmx.u32EntryCtls & VMX_VMCS_CTRL_ENTRY_LOAD_GUEST_PAT_MSR)
10673	{
10674	rc = VMXReadVmcs64(VMX_VMCS64_GUEST_PAT_FULL, &u64Val);
10675	AssertRCBreak(rc);
10676	HMVMX_CHECK_BREAK(!(u64Val & UINT64_C(0x707070707070707)), VMX_IGS_PAT_MSR_RESERVED);
10677	for (unsigned i = 0; i < 8; i++)
10678	{
10679	uint8_t u8Val = (u64Val & 0xff);
10680	if ( u8Val != 0 /* UC */
10681	&& u8Val != 1 /* WC */
10682	&& u8Val != 4 /* WT */
10683	&& u8Val != 5 /* WP */
10684	&& u8Val != 6 /* WB */
10685	&& u8Val != 7 /* UC- */)
10686	{
10687	HMVMX_ERROR_BREAK(VMX_IGS_PAT_MSR_INVALID);
10688	}
10689	u64Val >>= 8;
10690	}
10691	}
10692
10693	/*
10694	* EFER MSR.
10695	*/
10696	if (pVCpu->hm.s.vmx.u32EntryCtls & VMX_VMCS_CTRL_ENTRY_LOAD_GUEST_EFER_MSR)
10697	{
10698	Assert(pVM->hm.s.vmx.fSupportsVmcsEfer);
10699	rc = VMXReadVmcs64(VMX_VMCS64_GUEST_EFER_FULL, &u64Val);
10700	AssertRCBreak(rc);
10701	HMVMX_CHECK_BREAK(!(u64Val & UINT64_C(0xfffffffffffff2fe)),
10702	VMX_IGS_EFER_MSR_RESERVED); /* Bits 63:12, bit 9, bits 7:1 MBZ. */
10703	HMVMX_CHECK_BREAK(RT_BOOL(u64Val & MSR_K6_EFER_LMA) == RT_BOOL( pVCpu->hm.s.vmx.u32EntryCtls
10704	& VMX_VMCS_CTRL_ENTRY_IA32E_MODE_GUEST),
10705	VMX_IGS_EFER_LMA_GUEST_MODE_MISMATCH);
10706	HMVMX_CHECK_BREAK( fUnrestrictedGuest
10707	\|\| !(u32GuestCR0 & X86_CR0_PG)
10708	\|\| RT_BOOL(u64Val & MSR_K6_EFER_LMA) == RT_BOOL(u64Val & MSR_K6_EFER_LME),
10709	VMX_IGS_EFER_LMA_LME_MISMATCH);
10710	}
10711
10712	/*
10713	* Segment registers.
10714	*/
10715	HMVMX_CHECK_BREAK( (pCtx->ldtr.Attr.u & X86DESCATTR_UNUSABLE)
10716	\|\| !(pCtx->ldtr.Sel & X86_SEL_LDT), VMX_IGS_LDTR_TI_INVALID);
10717	if (!(u32Eflags & X86_EFL_VM))
10718	{
10719	/* CS */
10720	HMVMX_CHECK_BREAK(pCtx->cs.Attr.n.u1Present, VMX_IGS_CS_ATTR_P_INVALID);
10721	HMVMX_CHECK_BREAK(!(pCtx->cs.Attr.u & 0xf00), VMX_IGS_CS_ATTR_RESERVED);
10722	HMVMX_CHECK_BREAK(!(pCtx->cs.Attr.u & 0xfffe0000), VMX_IGS_CS_ATTR_RESERVED);
10723	HMVMX_CHECK_BREAK( (pCtx->cs.u32Limit & 0xfff) == 0xfff
10724	\|\| !(pCtx->cs.Attr.n.u1Granularity), VMX_IGS_CS_ATTR_G_INVALID);
10725	HMVMX_CHECK_BREAK( !(pCtx->cs.u32Limit & 0xfff00000)
10726	\|\| (pCtx->cs.Attr.n.u1Granularity), VMX_IGS_CS_ATTR_G_INVALID);
10727	/* CS cannot be loaded with NULL in protected mode. */
10728	HMVMX_CHECK_BREAK(pCtx->cs.Attr.u && !(pCtx->cs.Attr.u & X86DESCATTR_UNUSABLE), VMX_IGS_CS_ATTR_UNUSABLE);
10729	HMVMX_CHECK_BREAK(pCtx->cs.Attr.n.u1DescType, VMX_IGS_CS_ATTR_S_INVALID);
10730	if (pCtx->cs.Attr.n.u4Type == 9 \|\| pCtx->cs.Attr.n.u4Type == 11)
10731	HMVMX_CHECK_BREAK(pCtx->cs.Attr.n.u2Dpl == pCtx->ss.Attr.n.u2Dpl, VMX_IGS_CS_SS_ATTR_DPL_UNEQUAL);
10732	else if (pCtx->cs.Attr.n.u4Type == 13 \|\| pCtx->cs.Attr.n.u4Type == 15)
10733	HMVMX_CHECK_BREAK(pCtx->cs.Attr.n.u2Dpl <= pCtx->ss.Attr.n.u2Dpl, VMX_IGS_CS_SS_ATTR_DPL_MISMATCH);
10734	else if (pVM->hm.s.vmx.fUnrestrictedGuest && pCtx->cs.Attr.n.u4Type == 3)
10735	HMVMX_CHECK_BREAK(pCtx->cs.Attr.n.u2Dpl == 0, VMX_IGS_CS_ATTR_DPL_INVALID);
10736	else
10737	HMVMX_ERROR_BREAK(VMX_IGS_CS_ATTR_TYPE_INVALID);
10738
10739	/* SS */
10740	HMVMX_CHECK_BREAK( pVM->hm.s.vmx.fUnrestrictedGuest
10741	\|\| (pCtx->ss.Sel & X86_SEL_RPL) == (pCtx->cs.Sel & X86_SEL_RPL), VMX_IGS_SS_CS_RPL_UNEQUAL);
10742	HMVMX_CHECK_BREAK(pCtx->ss.Attr.n.u2Dpl == (pCtx->ss.Sel & X86_SEL_RPL), VMX_IGS_SS_ATTR_DPL_RPL_UNEQUAL);
10743	if ( !(pCtx->cr0 & X86_CR0_PE)
10744	\|\| pCtx->cs.Attr.n.u4Type == 3)
10745	{
10746	HMVMX_CHECK_BREAK(!pCtx->ss.Attr.n.u2Dpl, VMX_IGS_SS_ATTR_DPL_INVALID);
10747	}
10748	if (!(pCtx->ss.Attr.u & X86DESCATTR_UNUSABLE))
10749	{
10750	HMVMX_CHECK_BREAK(pCtx->ss.Attr.n.u4Type == 3 \|\| pCtx->ss.Attr.n.u4Type == 7, VMX_IGS_SS_ATTR_TYPE_INVALID);
10751	HMVMX_CHECK_BREAK(pCtx->ss.Attr.n.u1Present, VMX_IGS_SS_ATTR_P_INVALID);
10752	HMVMX_CHECK_BREAK(!(pCtx->ss.Attr.u & 0xf00), VMX_IGS_SS_ATTR_RESERVED);
10753	HMVMX_CHECK_BREAK(!(pCtx->ss.Attr.u & 0xfffe0000), VMX_IGS_SS_ATTR_RESERVED);
10754	HMVMX_CHECK_BREAK( (pCtx->ss.u32Limit & 0xfff) == 0xfff
10755	\|\| !(pCtx->ss.Attr.n.u1Granularity), VMX_IGS_SS_ATTR_G_INVALID);
10756	HMVMX_CHECK_BREAK( !(pCtx->ss.u32Limit & 0xfff00000)
10757	\|\| (pCtx->ss.Attr.n.u1Granularity), VMX_IGS_SS_ATTR_G_INVALID);
10758	}
10759
10760	/* DS, ES, FS, GS - only check for usable selectors, see hmR0VmxWriteSegmentReg(). */
10761	if (!(pCtx->ds.Attr.u & X86DESCATTR_UNUSABLE))
10762	{
10763	HMVMX_CHECK_BREAK(pCtx->ds.Attr.n.u4Type & X86_SEL_TYPE_ACCESSED, VMX_IGS_DS_ATTR_A_INVALID);
10764	HMVMX_CHECK_BREAK(pCtx->ds.Attr.n.u1Present, VMX_IGS_DS_ATTR_P_INVALID);
10765	HMVMX_CHECK_BREAK( pVM->hm.s.vmx.fUnrestrictedGuest
10766	\|\| pCtx->ds.Attr.n.u4Type > 11
10767	\|\| pCtx->ds.Attr.n.u2Dpl >= (pCtx->ds.Sel & X86_SEL_RPL), VMX_IGS_DS_ATTR_DPL_RPL_UNEQUAL);
10768	HMVMX_CHECK_BREAK(!(pCtx->ds.Attr.u & 0xf00), VMX_IGS_DS_ATTR_RESERVED);
10769	HMVMX_CHECK_BREAK(!(pCtx->ds.Attr.u & 0xfffe0000), VMX_IGS_DS_ATTR_RESERVED);
10770	HMVMX_CHECK_BREAK( (pCtx->ds.u32Limit & 0xfff) == 0xfff
10771	\|\| !(pCtx->ds.Attr.n.u1Granularity), VMX_IGS_DS_ATTR_G_INVALID);
10772	HMVMX_CHECK_BREAK( !(pCtx->ds.u32Limit & 0xfff00000)
10773	\|\| (pCtx->ds.Attr.n.u1Granularity), VMX_IGS_DS_ATTR_G_INVALID);
10774	HMVMX_CHECK_BREAK( !(pCtx->ds.Attr.n.u4Type & X86_SEL_TYPE_CODE)
10775	\|\| (pCtx->ds.Attr.n.u4Type & X86_SEL_TYPE_READ), VMX_IGS_DS_ATTR_TYPE_INVALID);
10776	}
10777	if (!(pCtx->es.Attr.u & X86DESCATTR_UNUSABLE))
10778	{
10779	HMVMX_CHECK_BREAK(pCtx->es.Attr.n.u4Type & X86_SEL_TYPE_ACCESSED, VMX_IGS_ES_ATTR_A_INVALID);
10780	HMVMX_CHECK_BREAK(pCtx->es.Attr.n.u1Present, VMX_IGS_ES_ATTR_P_INVALID);
10781	HMVMX_CHECK_BREAK( pVM->hm.s.vmx.fUnrestrictedGuest
10782	\|\| pCtx->es.Attr.n.u4Type > 11
10783	\|\| pCtx->es.Attr.n.u2Dpl >= (pCtx->es.Sel & X86_SEL_RPL), VMX_IGS_DS_ATTR_DPL_RPL_UNEQUAL);
10784	HMVMX_CHECK_BREAK(!(pCtx->es.Attr.u & 0xf00), VMX_IGS_ES_ATTR_RESERVED);
10785	HMVMX_CHECK_BREAK(!(pCtx->es.Attr.u & 0xfffe0000), VMX_IGS_ES_ATTR_RESERVED);
10786	HMVMX_CHECK_BREAK( (pCtx->es.u32Limit & 0xfff) == 0xfff
10787	\|\| !(pCtx->es.Attr.n.u1Granularity), VMX_IGS_ES_ATTR_G_INVALID);
10788	HMVMX_CHECK_BREAK( !(pCtx->es.u32Limit & 0xfff00000)
10789	\|\| (pCtx->es.Attr.n.u1Granularity), VMX_IGS_ES_ATTR_G_INVALID);
10790	HMVMX_CHECK_BREAK( !(pCtx->es.Attr.n.u4Type & X86_SEL_TYPE_CODE)
10791	\|\| (pCtx->es.Attr.n.u4Type & X86_SEL_TYPE_READ), VMX_IGS_ES_ATTR_TYPE_INVALID);
10792	}
10793	if (!(pCtx->fs.Attr.u & X86DESCATTR_UNUSABLE))
10794	{
10795	HMVMX_CHECK_BREAK(pCtx->fs.Attr.n.u4Type & X86_SEL_TYPE_ACCESSED, VMX_IGS_FS_ATTR_A_INVALID);
10796	HMVMX_CHECK_BREAK(pCtx->fs.Attr.n.u1Present, VMX_IGS_FS_ATTR_P_INVALID);
10797	HMVMX_CHECK_BREAK( pVM->hm.s.vmx.fUnrestrictedGuest
10798	\|\| pCtx->fs.Attr.n.u4Type > 11
10799	\|\| pCtx->fs.Attr.n.u2Dpl >= (pCtx->fs.Sel & X86_SEL_RPL), VMX_IGS_FS_ATTR_DPL_RPL_UNEQUAL);
10800	HMVMX_CHECK_BREAK(!(pCtx->fs.Attr.u & 0xf00), VMX_IGS_FS_ATTR_RESERVED);
10801	HMVMX_CHECK_BREAK(!(pCtx->fs.Attr.u & 0xfffe0000), VMX_IGS_FS_ATTR_RESERVED);
10802	HMVMX_CHECK_BREAK( (pCtx->fs.u32Limit & 0xfff) == 0xfff
10803	\|\| !(pCtx->fs.Attr.n.u1Granularity), VMX_IGS_FS_ATTR_G_INVALID);
10804	HMVMX_CHECK_BREAK( !(pCtx->fs.u32Limit & 0xfff00000)
10805	\|\| (pCtx->fs.Attr.n.u1Granularity), VMX_IGS_FS_ATTR_G_INVALID);
10806	HMVMX_CHECK_BREAK( !(pCtx->fs.Attr.n.u4Type & X86_SEL_TYPE_CODE)
10807	\|\| (pCtx->fs.Attr.n.u4Type & X86_SEL_TYPE_READ), VMX_IGS_FS_ATTR_TYPE_INVALID);
10808	}
10809	if (!(pCtx->gs.Attr.u & X86DESCATTR_UNUSABLE))
10810	{
10811	HMVMX_CHECK_BREAK(pCtx->gs.Attr.n.u4Type & X86_SEL_TYPE_ACCESSED, VMX_IGS_GS_ATTR_A_INVALID);
10812	HMVMX_CHECK_BREAK(pCtx->gs.Attr.n.u1Present, VMX_IGS_GS_ATTR_P_INVALID);
10813	HMVMX_CHECK_BREAK( pVM->hm.s.vmx.fUnrestrictedGuest
10814	\|\| pCtx->gs.Attr.n.u4Type > 11
10815	\|\| pCtx->gs.Attr.n.u2Dpl >= (pCtx->gs.Sel & X86_SEL_RPL), VMX_IGS_GS_ATTR_DPL_RPL_UNEQUAL);
10816	HMVMX_CHECK_BREAK(!(pCtx->gs.Attr.u & 0xf00), VMX_IGS_GS_ATTR_RESERVED);
10817	HMVMX_CHECK_BREAK(!(pCtx->gs.Attr.u & 0xfffe0000), VMX_IGS_GS_ATTR_RESERVED);
10818	HMVMX_CHECK_BREAK( (pCtx->gs.u32Limit & 0xfff) == 0xfff
10819	\|\| !(pCtx->gs.Attr.n.u1Granularity), VMX_IGS_GS_ATTR_G_INVALID);
10820	HMVMX_CHECK_BREAK( !(pCtx->gs.u32Limit & 0xfff00000)
10821	\|\| (pCtx->gs.Attr.n.u1Granularity), VMX_IGS_GS_ATTR_G_INVALID);
10822	HMVMX_CHECK_BREAK( !(pCtx->gs.Attr.n.u4Type & X86_SEL_TYPE_CODE)
10823	\|\| (pCtx->gs.Attr.n.u4Type & X86_SEL_TYPE_READ), VMX_IGS_GS_ATTR_TYPE_INVALID);
10824	}
10825	/* 64-bit capable CPUs. */
10826	#if HC_ARCH_BITS == 64
10827	HMVMX_CHECK_BREAK(X86_IS_CANONICAL(pCtx->fs.u64Base), VMX_IGS_FS_BASE_NOT_CANONICAL);
10828	HMVMX_CHECK_BREAK(X86_IS_CANONICAL(pCtx->gs.u64Base), VMX_IGS_GS_BASE_NOT_CANONICAL);
10829	HMVMX_CHECK_BREAK( (pCtx->ldtr.Attr.u & X86DESCATTR_UNUSABLE)
10830	\|\| X86_IS_CANONICAL(pCtx->ldtr.u64Base), VMX_IGS_LDTR_BASE_NOT_CANONICAL);
10831	HMVMX_CHECK_BREAK(!(pCtx->cs.u64Base >> 32), VMX_IGS_LONGMODE_CS_BASE_INVALID);
10832	HMVMX_CHECK_BREAK((pCtx->ss.Attr.u & X86DESCATTR_UNUSABLE) \|\| !(pCtx->ss.u64Base >> 32),
10833	VMX_IGS_LONGMODE_SS_BASE_INVALID);
10834	HMVMX_CHECK_BREAK((pCtx->ds.Attr.u & X86DESCATTR_UNUSABLE) \|\| !(pCtx->ds.u64Base >> 32),
10835	VMX_IGS_LONGMODE_DS_BASE_INVALID);
10836	HMVMX_CHECK_BREAK((pCtx->es.Attr.u & X86DESCATTR_UNUSABLE) \|\| !(pCtx->es.u64Base >> 32),
10837	VMX_IGS_LONGMODE_ES_BASE_INVALID);
10838	#endif
10839	}
10840	else
10841	{
10842	/* V86 mode checks. */
10843	uint32_t u32CSAttr, u32SSAttr, u32DSAttr, u32ESAttr, u32FSAttr, u32GSAttr;
10844	if (pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
10845	{
10846	u32CSAttr = 0xf3; u32SSAttr = 0xf3;
10847	u32DSAttr = 0xf3; u32ESAttr = 0xf3;
10848	u32FSAttr = 0xf3; u32GSAttr = 0xf3;
10849	}
10850	else
10851	{
10852	u32CSAttr = pCtx->cs.Attr.u; u32SSAttr = pCtx->ss.Attr.u;
10853	u32DSAttr = pCtx->ds.Attr.u; u32ESAttr = pCtx->es.Attr.u;
10854	u32FSAttr = pCtx->fs.Attr.u; u32GSAttr = pCtx->gs.Attr.u;
10855	}
10856
10857	/* CS */
10858	HMVMX_CHECK_BREAK((pCtx->cs.u64Base == (uint64_t)pCtx->cs.Sel << 4), VMX_IGS_V86_CS_BASE_INVALID);
10859	HMVMX_CHECK_BREAK(pCtx->cs.u32Limit == 0xffff, VMX_IGS_V86_CS_LIMIT_INVALID);
10860	HMVMX_CHECK_BREAK(u32CSAttr == 0xf3, VMX_IGS_V86_CS_ATTR_INVALID);
10861	/* SS */
10862	HMVMX_CHECK_BREAK((pCtx->ss.u64Base == (uint64_t)pCtx->ss.Sel << 4), VMX_IGS_V86_SS_BASE_INVALID);
10863	HMVMX_CHECK_BREAK(pCtx->ss.u32Limit == 0xffff, VMX_IGS_V86_SS_LIMIT_INVALID);
10864	HMVMX_CHECK_BREAK(u32SSAttr == 0xf3, VMX_IGS_V86_SS_ATTR_INVALID);
10865	/* DS */
10866	HMVMX_CHECK_BREAK((pCtx->ds.u64Base == (uint64_t)pCtx->ds.Sel << 4), VMX_IGS_V86_DS_BASE_INVALID);
10867	HMVMX_CHECK_BREAK(pCtx->ds.u32Limit == 0xffff, VMX_IGS_V86_DS_LIMIT_INVALID);
10868	HMVMX_CHECK_BREAK(u32DSAttr == 0xf3, VMX_IGS_V86_DS_ATTR_INVALID);
10869	/* ES */
10870	HMVMX_CHECK_BREAK((pCtx->es.u64Base == (uint64_t)pCtx->es.Sel << 4), VMX_IGS_V86_ES_BASE_INVALID);
10871	HMVMX_CHECK_BREAK(pCtx->es.u32Limit == 0xffff, VMX_IGS_V86_ES_LIMIT_INVALID);
10872	HMVMX_CHECK_BREAK(u32ESAttr == 0xf3, VMX_IGS_V86_ES_ATTR_INVALID);
10873	/* FS */
10874	HMVMX_CHECK_BREAK((pCtx->fs.u64Base == (uint64_t)pCtx->fs.Sel << 4), VMX_IGS_V86_FS_BASE_INVALID);
10875	HMVMX_CHECK_BREAK(pCtx->fs.u32Limit == 0xffff, VMX_IGS_V86_FS_LIMIT_INVALID);
10876	HMVMX_CHECK_BREAK(u32FSAttr == 0xf3, VMX_IGS_V86_FS_ATTR_INVALID);
10877	/* GS */
10878	HMVMX_CHECK_BREAK((pCtx->gs.u64Base == (uint64_t)pCtx->gs.Sel << 4), VMX_IGS_V86_GS_BASE_INVALID);
10879	HMVMX_CHECK_BREAK(pCtx->gs.u32Limit == 0xffff, VMX_IGS_V86_GS_LIMIT_INVALID);
10880	HMVMX_CHECK_BREAK(u32GSAttr == 0xf3, VMX_IGS_V86_GS_ATTR_INVALID);
10881	/* 64-bit capable CPUs. */
10882	#if HC_ARCH_BITS == 64
10883	HMVMX_CHECK_BREAK(X86_IS_CANONICAL(pCtx->fs.u64Base), VMX_IGS_FS_BASE_NOT_CANONICAL);
10884	HMVMX_CHECK_BREAK(X86_IS_CANONICAL(pCtx->gs.u64Base), VMX_IGS_GS_BASE_NOT_CANONICAL);
10885	HMVMX_CHECK_BREAK( (pCtx->ldtr.Attr.u & X86DESCATTR_UNUSABLE)
10886	\|\| X86_IS_CANONICAL(pCtx->ldtr.u64Base), VMX_IGS_LDTR_BASE_NOT_CANONICAL);
10887	HMVMX_CHECK_BREAK(!(pCtx->cs.u64Base >> 32), VMX_IGS_LONGMODE_CS_BASE_INVALID);
10888	HMVMX_CHECK_BREAK((pCtx->ss.Attr.u & X86DESCATTR_UNUSABLE) \|\| !(pCtx->ss.u64Base >> 32),
10889	VMX_IGS_LONGMODE_SS_BASE_INVALID);
10890	HMVMX_CHECK_BREAK((pCtx->ds.Attr.u & X86DESCATTR_UNUSABLE) \|\| !(pCtx->ds.u64Base >> 32),
10891	VMX_IGS_LONGMODE_DS_BASE_INVALID);
10892	HMVMX_CHECK_BREAK((pCtx->es.Attr.u & X86DESCATTR_UNUSABLE) \|\| !(pCtx->es.u64Base >> 32),
10893	VMX_IGS_LONGMODE_ES_BASE_INVALID);
10894	#endif
10895	}
10896
10897	/*
10898	* TR.
10899	*/
10900	HMVMX_CHECK_BREAK(!(pCtx->tr.Sel & X86_SEL_LDT), VMX_IGS_TR_TI_INVALID);
10901	/* 64-bit capable CPUs. */
10902	#if HC_ARCH_BITS == 64
10903	HMVMX_CHECK_BREAK(X86_IS_CANONICAL(pCtx->tr.u64Base), VMX_IGS_TR_BASE_NOT_CANONICAL);
10904	#endif
10905	if (fLongModeGuest)
10906	{
10907	HMVMX_CHECK_BREAK(pCtx->tr.Attr.n.u4Type == 11, /* 64-bit busy TSS. */
10908	VMX_IGS_LONGMODE_TR_ATTR_TYPE_INVALID);
10909	}
10910	else
10911	{
10912	HMVMX_CHECK_BREAK( pCtx->tr.Attr.n.u4Type == 3 /* 16-bit busy TSS. */
10913	\|\| pCtx->tr.Attr.n.u4Type == 11, /* 32-bit busy TSS.*/
10914	VMX_IGS_TR_ATTR_TYPE_INVALID);
10915	}
10916	HMVMX_CHECK_BREAK(!pCtx->tr.Attr.n.u1DescType, VMX_IGS_TR_ATTR_S_INVALID);
10917	HMVMX_CHECK_BREAK(pCtx->tr.Attr.n.u1Present, VMX_IGS_TR_ATTR_P_INVALID);
10918	HMVMX_CHECK_BREAK(!(pCtx->tr.Attr.u & 0xf00), VMX_IGS_TR_ATTR_RESERVED); /* Bits 11:8 MBZ. */
10919	HMVMX_CHECK_BREAK( (pCtx->tr.u32Limit & 0xfff) == 0xfff
10920	\|\| !(pCtx->tr.Attr.n.u1Granularity), VMX_IGS_TR_ATTR_G_INVALID);
10921	HMVMX_CHECK_BREAK( !(pCtx->tr.u32Limit & 0xfff00000)
10922	\|\| (pCtx->tr.Attr.n.u1Granularity), VMX_IGS_TR_ATTR_G_INVALID);
10923	HMVMX_CHECK_BREAK(!(pCtx->tr.Attr.u & X86DESCATTR_UNUSABLE), VMX_IGS_TR_ATTR_UNUSABLE);
10924
10925	/*
10926	* GDTR and IDTR.
10927	*/
10928	#if HC_ARCH_BITS == 64
10929	rc = VMXReadVmcs64(VMX_VMCS_GUEST_GDTR_BASE, &u64Val);
10930	AssertRCBreak(rc);
10931	HMVMX_CHECK_BREAK(X86_IS_CANONICAL(u64Val), VMX_IGS_GDTR_BASE_NOT_CANONICAL);
10932
10933	rc = VMXReadVmcs64(VMX_VMCS_GUEST_IDTR_BASE, &u64Val);
10934	AssertRCBreak(rc);
10935	HMVMX_CHECK_BREAK(X86_IS_CANONICAL(u64Val), VMX_IGS_IDTR_BASE_NOT_CANONICAL);
10936	#endif
10937
10938	rc = VMXReadVmcs32(VMX_VMCS32_GUEST_GDTR_LIMIT, &u32Val);
10939	AssertRCBreak(rc);
10940	HMVMX_CHECK_BREAK(!(u32Val & 0xffff0000), VMX_IGS_GDTR_LIMIT_INVALID); /* Bits 31:16 MBZ. */
10941
10942	rc = VMXReadVmcs32(VMX_VMCS32_GUEST_IDTR_LIMIT, &u32Val);
10943	AssertRCBreak(rc);
10944	HMVMX_CHECK_BREAK(!(u32Val & 0xffff0000), VMX_IGS_IDTR_LIMIT_INVALID); /* Bits 31:16 MBZ. */
10945
10946	/*
10947	* Guest Non-Register State.
10948	*/
10949	/* Activity State. */
10950	uint32_t u32ActivityState;
10951	rc = VMXReadVmcs32(VMX_VMCS32_GUEST_ACTIVITY_STATE, &u32ActivityState);
10952	AssertRCBreak(rc);
10953	HMVMX_CHECK_BREAK( !u32ActivityState
10954	\|\| (u32ActivityState & MSR_IA32_VMX_MISC_ACTIVITY_STATES(pVM->hm.s.vmx.Msrs.u64Misc)),
10955	VMX_IGS_ACTIVITY_STATE_INVALID);
10956	HMVMX_CHECK_BREAK( !(pCtx->ss.Attr.n.u2Dpl)
10957	\|\| u32ActivityState != VMX_VMCS_GUEST_ACTIVITY_HLT, VMX_IGS_ACTIVITY_STATE_HLT_INVALID);
10958	uint32_t u32IntrState;
10959	rc = VMXReadVmcs32(VMX_VMCS32_GUEST_INTERRUPTIBILITY_STATE, &u32IntrState);
10960	AssertRCBreak(rc);
10961	if ( u32IntrState == VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_MOVSS
10962	\|\| u32IntrState == VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI)
10963	{
10964	HMVMX_CHECK_BREAK(u32ActivityState == VMX_VMCS_GUEST_ACTIVITY_ACTIVE, VMX_IGS_ACTIVITY_STATE_ACTIVE_INVALID);
10965	}
10966
10967	/** @todo Activity state and injecting interrupts. Left as a todo since we
10968	* currently don't use activity states but ACTIVE. */
10969
10970	HMVMX_CHECK_BREAK( !(pVCpu->hm.s.vmx.u32EntryCtls & VMX_VMCS_CTRL_ENTRY_ENTRY_SMM)
10971	\|\| u32ActivityState != VMX_VMCS_GUEST_ACTIVITY_SIPI_WAIT, VMX_IGS_ACTIVITY_STATE_SIPI_WAIT_INVALID);
10972
10973	/* Guest interruptibility-state. */
10974	HMVMX_CHECK_BREAK(!(u32IntrState & 0xfffffff0), VMX_IGS_INTERRUPTIBILITY_STATE_RESERVED);
10975	HMVMX_CHECK_BREAK((u32IntrState & ( VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI
10976	\| VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_MOVSS))
10977	!= ( VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI
10978	\| VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_MOVSS),
10979	VMX_IGS_INTERRUPTIBILITY_STATE_STI_MOVSS_INVALID);
10980	HMVMX_CHECK_BREAK( (u32Eflags & X86_EFL_IF)
10981	\|\| !(u32IntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI),
10982	VMX_IGS_INTERRUPTIBILITY_STATE_STI_EFL_INVALID);
10983	if (VMX_ENTRY_INTERRUPTION_INFO_IS_VALID(u32EntryInfo))
10984	{
10985	if (VMX_ENTRY_INTERRUPTION_INFO_TYPE(u32EntryInfo) == VMX_EXIT_INTERRUPTION_INFO_TYPE_EXT_INT)
10986	{
10987	HMVMX_CHECK_BREAK( !(u32IntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI)
10988	&& !(u32IntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_MOVSS),
10989	VMX_IGS_INTERRUPTIBILITY_STATE_EXT_INT_INVALID);
10990	}
10991	else if (VMX_ENTRY_INTERRUPTION_INFO_TYPE(u32EntryInfo) == VMX_EXIT_INTERRUPTION_INFO_TYPE_NMI)
10992	{
10993	HMVMX_CHECK_BREAK(!(u32IntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_MOVSS),
10994	VMX_IGS_INTERRUPTIBILITY_STATE_MOVSS_INVALID);
10995	HMVMX_CHECK_BREAK(!(u32IntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI),
10996	VMX_IGS_INTERRUPTIBILITY_STATE_STI_INVALID);
10997	}
10998	}
10999	/** @todo Assumes the processor is not in SMM. */
11000	HMVMX_CHECK_BREAK(!(u32IntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_SMI),
11001	VMX_IGS_INTERRUPTIBILITY_STATE_SMI_INVALID);
11002	HMVMX_CHECK_BREAK( !(pVCpu->hm.s.vmx.u32EntryCtls & VMX_VMCS_CTRL_ENTRY_ENTRY_SMM)
11003	\|\| (u32IntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_SMI),
11004	VMX_IGS_INTERRUPTIBILITY_STATE_SMI_SMM_INVALID);
11005	if ( (pVCpu->hm.s.vmx.u32PinCtls & VMX_VMCS_CTRL_PIN_EXEC_VIRTUAL_NMI)
11006	&& VMX_ENTRY_INTERRUPTION_INFO_IS_VALID(u32EntryInfo)
11007	&& VMX_ENTRY_INTERRUPTION_INFO_TYPE(u32EntryInfo) == VMX_EXIT_INTERRUPTION_INFO_TYPE_NMI)
11008	{
11009	HMVMX_CHECK_BREAK(!(u32IntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_NMI),
11010	VMX_IGS_INTERRUPTIBILITY_STATE_NMI_INVALID);
11011	}
11012
11013	/* Pending debug exceptions. */
11014	#if HC_ARCH_BITS == 64
11015	rc = VMXReadVmcs64(VMX_VMCS_GUEST_PENDING_DEBUG_EXCEPTIONS, &u64Val);
11016	AssertRCBreak(rc);
11017	/* Bits 63:15, Bit 13, Bits 11:4 MBZ. */
11018	HMVMX_CHECK_BREAK(!(u64Val & UINT64_C(0xffffffffffffaff0)), VMX_IGS_LONGMODE_PENDING_DEBUG_RESERVED);
11019	u32Val = u64Val; /* For pending debug exceptions checks below. */
11020	#else
11021	rc = VMXReadVmcs32(VMX_VMCS_GUEST_PENDING_DEBUG_EXCEPTIONS, &u32Val);
11022	AssertRCBreak(rc);
11023	/* Bits 31:15, Bit 13, Bits 11:4 MBZ. */
11024	HMVMX_CHECK_BREAK(!(u32Val & 0xffffaff0), VMX_IGS_PENDING_DEBUG_RESERVED);
11025	#endif
11026
11027	if ( (u32IntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI)
11028	\|\| (u32IntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_MOVSS)
11029	\|\| u32ActivityState == VMX_VMCS_GUEST_ACTIVITY_HLT)
11030	{
11031	if ( (u32Eflags & X86_EFL_TF)
11032	&& !(u64DebugCtlMsr & RT_BIT_64(1))) /* Bit 1 is IA32_DEBUGCTL.BTF. */
11033	{
11034	/* Bit 14 is PendingDebug.BS. */
11035	HMVMX_CHECK_BREAK(u32Val & RT_BIT(14), VMX_IGS_PENDING_DEBUG_XCPT_BS_NOT_SET);
11036	}
11037	if ( !(u32Eflags & X86_EFL_TF)
11038	\|\| (u64DebugCtlMsr & RT_BIT_64(1))) /* Bit 1 is IA32_DEBUGCTL.BTF. */
11039	{
11040	/* Bit 14 is PendingDebug.BS. */
11041	HMVMX_CHECK_BREAK(!(u32Val & RT_BIT(14)), VMX_IGS_PENDING_DEBUG_XCPT_BS_NOT_CLEAR);
11042	}
11043	}
11044
11045	/* VMCS link pointer. */
11046	rc = VMXReadVmcs64(VMX_VMCS64_GUEST_VMCS_LINK_PTR_FULL, &u64Val);
11047	AssertRCBreak(rc);
11048	if (u64Val != UINT64_C(0xffffffffffffffff))
11049	{
11050	HMVMX_CHECK_BREAK(!(u64Val & 0xfff), VMX_IGS_VMCS_LINK_PTR_RESERVED);
11051	/** @todo Bits beyond the processor's physical-address width MBZ. */
11052	/** @todo 32-bit located in memory referenced by value of this field (as a
11053	* physical address) must contain the processor's VMCS revision ID. */
11054	/** @todo SMM checks. */
11055	}
11056
11057	/** @todo Checks on Guest Page-Directory-Pointer-Table Entries when guest is
11058	* not using Nested Paging? */
11059	if ( pVM->hm.s.fNestedPaging
11060	&& !fLongModeGuest
11061	&& CPUMIsGuestInPAEModeEx(pCtx))
11062	{
11063	rc = VMXReadVmcs64(VMX_VMCS64_GUEST_PDPTE0_FULL, &u64Val);
11064	AssertRCBreak(rc);
11065	HMVMX_CHECK_BREAK(!(u64Val & X86_PDPE_PAE_MBZ_MASK), VMX_IGS_PAE_PDPTE_RESERVED);
11066
11067	rc = VMXReadVmcs64(VMX_VMCS64_GUEST_PDPTE1_FULL, &u64Val);
11068	AssertRCBreak(rc);
11069	HMVMX_CHECK_BREAK(!(u64Val & X86_PDPE_PAE_MBZ_MASK), VMX_IGS_PAE_PDPTE_RESERVED);
11070
11071	rc = VMXReadVmcs64(VMX_VMCS64_GUEST_PDPTE2_FULL, &u64Val);
11072	AssertRCBreak(rc);
11073	HMVMX_CHECK_BREAK(!(u64Val & X86_PDPE_PAE_MBZ_MASK), VMX_IGS_PAE_PDPTE_RESERVED);
11074
11075	rc = VMXReadVmcs64(VMX_VMCS64_GUEST_PDPTE3_FULL, &u64Val);
11076	AssertRCBreak(rc);
11077	HMVMX_CHECK_BREAK(!(u64Val & X86_PDPE_PAE_MBZ_MASK), VMX_IGS_PAE_PDPTE_RESERVED);
11078	}
11079
11080	/* Shouldn't happen but distinguish it from AssertRCBreak() errors. */
11081	if (uError == VMX_IGS_ERROR)
11082	uError = VMX_IGS_REASON_NOT_FOUND;
11083	} while (0);
11084
11085	pVCpu->hm.s.u32HMError = uError;
11086	return uError;
11087
11088	#undef HMVMX_ERROR_BREAK
11089	#undef HMVMX_CHECK_BREAK
11090	}
11091
11092	/* -=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= */
11093	/* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- VM-exit handlers -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- */
11094	/* -=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= */
11095
11096	/** @name VM-exit handlers.
11097	* @{
11098	*/
11099
11100	/**
11101	* VM-exit handler for external interrupts (VMX_EXIT_EXT_INT).
11102	*/
11103	HMVMX_EXIT_DECL hmR0VmxExitExtInt(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11104	{
11105	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11106	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitExtInt);
11107	/* Windows hosts (32-bit and 64-bit) have DPC latency issues. See @bugref{6853}. */
11108	if (VMMR0ThreadCtxHookIsEnabled(pVCpu))
11109	return VINF_SUCCESS;
11110	return VINF_EM_RAW_INTERRUPT;
11111	}
11112
11113
11114	/**
11115	* VM-exit handler for exceptions or NMIs (VMX_EXIT_XCPT_OR_NMI).
11116	*/
11117	HMVMX_EXIT_DECL hmR0VmxExitXcptOrNmi(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11118	{
11119	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11120	STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatExitXcptNmi, y3);
11121
11122	int rc = hmR0VmxReadExitIntInfoVmcs(pVmxTransient);
11123	AssertRCReturn(rc, rc);
11124
11125	uint32_t uIntType = VMX_EXIT_INTERRUPTION_INFO_TYPE(pVmxTransient->uExitIntInfo);
11126	Assert( !(pVCpu->hm.s.vmx.u32ExitCtls & VMX_VMCS_CTRL_EXIT_ACK_EXT_INT)
11127	&& uIntType != VMX_EXIT_INTERRUPTION_INFO_TYPE_EXT_INT);
11128	Assert(VMX_EXIT_INTERRUPTION_INFO_IS_VALID(pVmxTransient->uExitIntInfo));
11129
11130	if (uIntType == VMX_EXIT_INTERRUPTION_INFO_TYPE_NMI)
11131	{
11132	/*
11133	* This cannot be a guest NMI as the only way for the guest to receive an NMI is if we injected it ourselves and
11134	* anything we inject is not going to cause a VM-exit directly for the event being injected.
11135	* See Intel spec. 27.2.3 "Information for VM Exits During Event Delivery".
11136	*
11137	* Dispatch the NMI to the host. See Intel spec. 27.5.5 "Updating Non-Register State".
11138	*/
11139	VMXDispatchHostNmi();
11140	STAM_REL_COUNTER_INC(&pVCpu->hm.s.StatExitHostNmiInGC);
11141	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExitXcptNmi, y3);
11142	return VINF_SUCCESS;
11143	}
11144
11145	/* If this VM-exit occurred while delivering an event through the guest IDT, handle it accordingly. */
11146	VBOXSTRICTRC rcStrictRc1 = hmR0VmxCheckExitDueToEventDelivery(pVCpu, pMixedCtx, pVmxTransient);
11147	if (RT_UNLIKELY(rcStrictRc1 == VINF_SUCCESS))
11148	{ /* likely */ }
11149	else
11150	{
11151	if (rcStrictRc1 == VINF_HM_DOUBLE_FAULT)
11152	rcStrictRc1 = VINF_SUCCESS;
11153	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExitXcptNmi, y3);
11154	return rcStrictRc1;
11155	}
11156
11157	uint32_t uExitIntInfo = pVmxTransient->uExitIntInfo;
11158	uint32_t uVector = VMX_EXIT_INTERRUPTION_INFO_VECTOR(uExitIntInfo);
11159	switch (uIntType)
11160	{
11161	case VMX_EXIT_INTERRUPTION_INFO_TYPE_PRIV_SW_XCPT: /* Privileged software exception. (#DB from ICEBP) */
11162	Assert(uVector == X86_XCPT_DB);
11163	/* no break */
11164	case VMX_EXIT_INTERRUPTION_INFO_TYPE_SW_XCPT: /* Software exception. (#BP or #OF) */
11165	Assert(uVector == X86_XCPT_BP \|\| uVector == X86_XCPT_OF \|\| uIntType == VMX_EXIT_INTERRUPTION_INFO_TYPE_PRIV_SW_XCPT);
11166	/* no break */
11167	case VMX_EXIT_INTERRUPTION_INFO_TYPE_HW_XCPT:
11168	{
11169	/*
11170	* If there's any exception caused as a result of event injection, go back to
11171	* the interpreter. The page-fault case is complicated and we manually handle
11172	* any currently pending event in hmR0VmxExitXcptPF. Nested #ACs are already
11173	* handled in hmR0VmxCheckExitDueToEventDelivery.
11174	*/
11175	if (!pVCpu->hm.s.Event.fPending)
11176	{ /* likely */ }
11177	else if ( uVector != X86_XCPT_PF
11178	&& uVector != X86_XCPT_AC)
11179	{
11180	STAM_COUNTER_INC(&pVCpu->hm.s.StatInjectPendingInterpret);
11181	rc = VERR_EM_INTERPRETER;
11182	break;
11183	}
11184
11185	switch (uVector)
11186	{
11187	case X86_XCPT_PF: rc = hmR0VmxExitXcptPF(pVCpu, pMixedCtx, pVmxTransient); break;
11188	case X86_XCPT_GP: rc = hmR0VmxExitXcptGP(pVCpu, pMixedCtx, pVmxTransient); break;
11189	case X86_XCPT_NM: rc = hmR0VmxExitXcptNM(pVCpu, pMixedCtx, pVmxTransient); break;
11190	case X86_XCPT_MF: rc = hmR0VmxExitXcptMF(pVCpu, pMixedCtx, pVmxTransient); break;
11191	case X86_XCPT_DB: rc = hmR0VmxExitXcptDB(pVCpu, pMixedCtx, pVmxTransient); break;
11192	case X86_XCPT_BP: rc = hmR0VmxExitXcptBP(pVCpu, pMixedCtx, pVmxTransient); break;
11193	case X86_XCPT_AC: rc = hmR0VmxExitXcptAC(pVCpu, pMixedCtx, pVmxTransient); break;
11194
11195	case X86_XCPT_XF: STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestXF);
11196	rc = hmR0VmxExitXcptGeneric(pVCpu, pMixedCtx, pVmxTransient); break;
11197	case X86_XCPT_DE: STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestDE);
11198	rc = hmR0VmxExitXcptGeneric(pVCpu, pMixedCtx, pVmxTransient); break;
11199	case X86_XCPT_UD: STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestUD);
11200	rc = hmR0VmxExitXcptGeneric(pVCpu, pMixedCtx, pVmxTransient); break;
11201	case X86_XCPT_SS: STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestSS);
11202	rc = hmR0VmxExitXcptGeneric(pVCpu, pMixedCtx, pVmxTransient); break;
11203	case X86_XCPT_NP: STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestNP);
11204	rc = hmR0VmxExitXcptGeneric(pVCpu, pMixedCtx, pVmxTransient); break;
11205	case X86_XCPT_TS: STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestTS);
11206	rc = hmR0VmxExitXcptGeneric(pVCpu, pMixedCtx, pVmxTransient); break;
11207	default:
11208	{
11209	rc = hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
11210	AssertRCReturn(rc, rc);
11211
11212	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestXcpUnk);
11213	if (pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
11214	{
11215	Assert(pVCpu->CTX_SUFF(pVM)->hm.s.vmx.pRealModeTSS);
11216	Assert(PDMVmmDevHeapIsEnabled(pVCpu->CTX_SUFF(pVM)));
11217	Assert(CPUMIsGuestInRealModeEx(pMixedCtx));
11218
11219	rc = hmR0VmxReadExitInstrLenVmcs(pVmxTransient);
11220	rc \|= hmR0VmxReadExitIntErrorCodeVmcs(pVmxTransient);
11221	AssertRCReturn(rc, rc);
11222	hmR0VmxSetPendingEvent(pVCpu, VMX_VMCS_CTRL_ENTRY_IRQ_INFO_FROM_EXIT_INT_INFO(uExitIntInfo),
11223	pVmxTransient->cbInstr, pVmxTransient->uExitIntErrorCode,
11224	0 /* GCPtrFaultAddress */);
11225	AssertRCReturn(rc, rc);
11226	}
11227	else
11228	{
11229	AssertMsgFailed(("Unexpected VM-exit caused by exception %#x\n", uVector));
11230	pVCpu->hm.s.u32HMError = uVector;
11231	rc = VERR_VMX_UNEXPECTED_EXCEPTION;
11232	}
11233	break;
11234	}
11235	}
11236	break;
11237	}
11238
11239	default:
11240	{
11241	pVCpu->hm.s.u32HMError = uExitIntInfo;
11242	rc = VERR_VMX_UNEXPECTED_INTERRUPTION_EXIT_TYPE;
11243	AssertMsgFailed(("Unexpected interruption info %#x\n", VMX_EXIT_INTERRUPTION_INFO_TYPE(uExitIntInfo)));
11244	break;
11245	}
11246	}
11247	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExitXcptNmi, y3);
11248	return rc;
11249	}
11250
11251
11252	/**
11253	* VM-exit handler for interrupt-window exiting (VMX_EXIT_INT_WINDOW).
11254	*/
11255	HMVMX_EXIT_NSRC_DECL hmR0VmxExitIntWindow(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11256	{
11257	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11258
11259	/* Indicate that we no longer need to VM-exit when the guest is ready to receive interrupts, it is now ready. */
11260	hmR0VmxClearIntWindowExitVmcs(pVCpu);
11261
11262	/* Deliver the pending interrupts via hmR0VmxEvaluatePendingEvent() and resume guest execution. */
11263	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitIntWindow);
11264	return VINF_SUCCESS;
11265	}
11266
11267
11268	/**
11269	* VM-exit handler for NMI-window exiting (VMX_EXIT_NMI_WINDOW).
11270	*/
11271	HMVMX_EXIT_NSRC_DECL hmR0VmxExitNmiWindow(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11272	{
11273	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11274	if (RT_UNLIKELY(!(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_NMI_WINDOW_EXIT)))
11275	{
11276	AssertMsgFailed(("Unexpected NMI-window exit.\n"));
11277	HMVMX_RETURN_UNEXPECTED_EXIT();
11278	}
11279
11280	Assert(!VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_BLOCK_NMIS));
11281
11282	/*
11283	* If block-by-STI is set when we get this VM-exit, it means the CPU doesn't block NMIs following STI.
11284	* It is therefore safe to unblock STI and deliver the NMI ourselves. See @bugref{7445}.
11285	*/
11286	uint32_t uIntrState = 0;
11287	int rc = VMXReadVmcs32(VMX_VMCS32_GUEST_INTERRUPTIBILITY_STATE, &uIntrState);
11288	AssertRCReturn(rc, rc);
11289
11290	bool const fBlockSti = RT_BOOL(uIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI);
11291	if ( fBlockSti
11292	&& VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_INHIBIT_INTERRUPTS))
11293	{
11294	VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_INHIBIT_INTERRUPTS);
11295	}
11296
11297	/* Indicate that we no longer need to VM-exit when the guest is ready to receive NMIs, it is now ready */
11298	hmR0VmxClearNmiWindowExitVmcs(pVCpu);
11299
11300	/* Deliver the pending NMI via hmR0VmxEvaluatePendingEvent() and resume guest execution. */
11301	return VINF_SUCCESS;
11302	}
11303
11304
11305	/**
11306	* VM-exit handler for WBINVD (VMX_EXIT_WBINVD). Conditional VM-exit.
11307	*/
11308	HMVMX_EXIT_NSRC_DECL hmR0VmxExitWbinvd(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11309	{
11310	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11311	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitWbinvd);
11312	return hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
11313	}
11314
11315
11316	/**
11317	* VM-exit handler for INVD (VMX_EXIT_INVD). Unconditional VM-exit.
11318	*/
11319	HMVMX_EXIT_NSRC_DECL hmR0VmxExitInvd(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11320	{
11321	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11322	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitInvd);
11323	return hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
11324	}
11325
11326
11327	/**
11328	* VM-exit handler for CPUID (VMX_EXIT_CPUID). Unconditional VM-exit.
11329	*/
11330	HMVMX_EXIT_DECL hmR0VmxExitCpuid(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11331	{
11332	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11333	PVM pVM = pVCpu->CTX_SUFF(pVM);
11334	int rc = EMInterpretCpuId(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx));
11335	if (RT_LIKELY(rc == VINF_SUCCESS))
11336	{
11337	rc = hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
11338	Assert(pVmxTransient->cbInstr == 2);
11339	}
11340	else
11341	{
11342	AssertMsgFailed(("hmR0VmxExitCpuid: EMInterpretCpuId failed with %Rrc\n", rc));
11343	rc = VERR_EM_INTERPRETER;
11344	}
11345	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitCpuid);
11346	return rc;
11347	}
11348
11349
11350	/**
11351	* VM-exit handler for GETSEC (VMX_EXIT_GETSEC). Unconditional VM-exit.
11352	*/
11353	HMVMX_EXIT_DECL hmR0VmxExitGetsec(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11354	{
11355	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11356	int rc = hmR0VmxSaveGuestCR4(pVCpu, pMixedCtx);
11357	AssertRCReturn(rc, rc);
11358
11359	if (pMixedCtx->cr4 & X86_CR4_SMXE)
11360	return VINF_EM_RAW_EMULATE_INSTR;
11361
11362	AssertMsgFailed(("hmR0VmxExitGetsec: unexpected VM-exit when CR4.SMXE is 0.\n"));
11363	HMVMX_RETURN_UNEXPECTED_EXIT();
11364	}
11365
11366
11367	/**
11368	* VM-exit handler for RDTSC (VMX_EXIT_RDTSC). Conditional VM-exit.
11369	*/
11370	HMVMX_EXIT_DECL hmR0VmxExitRdtsc(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11371	{
11372	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11373	int rc = hmR0VmxSaveGuestCR4(pVCpu, pMixedCtx); /** @todo review if CR4 is really required by EM. */
11374	AssertRCReturn(rc, rc);
11375
11376	PVM pVM = pVCpu->CTX_SUFF(pVM);
11377	rc = EMInterpretRdtsc(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx));
11378	if (RT_LIKELY(rc == VINF_SUCCESS))
11379	{
11380	rc = hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
11381	Assert(pVmxTransient->cbInstr == 2);
11382	/* If we get a spurious VM-exit when offsetting is enabled, we must reset offsetting on VM-reentry. See @bugref{6634}. */
11383	if (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_TSC_OFFSETTING)
11384	pVmxTransient->fUpdateTscOffsettingAndPreemptTimer = true;
11385	}
11386	else
11387	rc = VERR_EM_INTERPRETER;
11388	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitRdtsc);
11389	return rc;
11390	}
11391
11392
11393	/**
11394	* VM-exit handler for RDTSCP (VMX_EXIT_RDTSCP). Conditional VM-exit.
11395	*/
11396	HMVMX_EXIT_DECL hmR0VmxExitRdtscp(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11397	{
11398	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11399	int rc = hmR0VmxSaveGuestCR4(pVCpu, pMixedCtx); /** @todo review if CR4 is really required by EM. */
11400	rc \|= hmR0VmxSaveGuestAutoLoadStoreMsrs(pVCpu, pMixedCtx); /* For MSR_K8_TSC_AUX */
11401	AssertRCReturn(rc, rc);
11402
11403	PVM pVM = pVCpu->CTX_SUFF(pVM);
11404	rc = EMInterpretRdtscp(pVM, pVCpu, pMixedCtx);
11405	if (RT_SUCCESS(rc))
11406	{
11407	rc = hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
11408	Assert(pVmxTransient->cbInstr == 3);
11409	/* If we get a spurious VM-exit when offsetting is enabled, we must reset offsetting on VM-reentry. See @bugref{6634}. */
11410	if (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_TSC_OFFSETTING)
11411	pVmxTransient->fUpdateTscOffsettingAndPreemptTimer = true;
11412	}
11413	else
11414	{
11415	AssertMsgFailed(("hmR0VmxExitRdtscp: EMInterpretRdtscp failed with %Rrc\n", rc));
11416	rc = VERR_EM_INTERPRETER;
11417	}
11418	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitRdtsc);
11419	return rc;
11420	}
11421
11422
11423	/**
11424	* VM-exit handler for RDPMC (VMX_EXIT_RDPMC). Conditional VM-exit.
11425	*/
11426	HMVMX_EXIT_DECL hmR0VmxExitRdpmc(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11427	{
11428	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11429	int rc = hmR0VmxSaveGuestCR4(pVCpu, pMixedCtx); /** @todo review if CR4 is really required by EM. */
11430	rc \|= hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx); /** @todo review if CR0 is really required by EM. */
11431	AssertRCReturn(rc, rc);
11432
11433	PVM pVM = pVCpu->CTX_SUFF(pVM);
11434	rc = EMInterpretRdpmc(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx));
11435	if (RT_LIKELY(rc == VINF_SUCCESS))
11436	{
11437	rc = hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
11438	Assert(pVmxTransient->cbInstr == 2);
11439	}
11440	else
11441	{
11442	AssertMsgFailed(("hmR0VmxExitRdpmc: EMInterpretRdpmc failed with %Rrc\n", rc));
11443	rc = VERR_EM_INTERPRETER;
11444	}
11445	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitRdpmc);
11446	return rc;
11447	}
11448
11449
11450	/**
11451	* VM-exit handler for VMCALL (VMX_EXIT_VMCALL). Unconditional VM-exit.
11452	*/
11453	HMVMX_EXIT_DECL hmR0VmxExitVmcall(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11454	{
11455	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11456	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitVmcall);
11457
11458	VBOXSTRICTRC rcStrict = VERR_VMX_IPE_3;
11459	if (pVCpu->hm.s.fHypercallsEnabled)
11460	{
11461	#if 0
11462	int rc = hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
11463	#else
11464	/* Aggressive state sync. for now. */
11465	int rc = hmR0VmxSaveGuestRip(pVCpu, pMixedCtx);
11466	rc \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx); /* For long-mode checks in gimKvmHypercall(). */
11467	AssertRCReturn(rc, rc);
11468	#endif
11469
11470	/* Perform the hypercall. */
11471	rcStrict = GIMHypercall(pVCpu, pMixedCtx);
11472	if (rcStrict == VINF_SUCCESS)
11473	{
11474	rc = hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
11475	AssertRCReturn(rc, rc);
11476	}
11477	else
11478	Assert( rcStrict == VINF_GIM_R3_HYPERCALL
11479	\|\| rcStrict == VINF_GIM_HYPERCALL_CONTINUING
11480	\|\| RT_FAILURE(VBOXSTRICTRC_VAL(rcStrict)));
11481
11482	/* If the hypercall changes anything other than guest's general-purpose registers,
11483	we would need to reload the guest changed bits here before VM-entry. */
11484	}
11485	else
11486	Log4(("hmR0VmxExitVmcall: Hypercalls not enabled\n"));
11487
11488	/* If hypercalls are disabled or the hypercall failed for some reason, raise #UD and continue. */
11489	if (RT_FAILURE(VBOXSTRICTRC_VAL(rcStrict)))
11490	{
11491	hmR0VmxSetPendingXcptUD(pVCpu, pMixedCtx);
11492	rcStrict = VINF_SUCCESS;
11493	}
11494
11495	return rcStrict;
11496	}
11497
11498
11499	/**
11500	* VM-exit handler for INVLPG (VMX_EXIT_INVLPG). Conditional VM-exit.
11501	*/
11502	HMVMX_EXIT_DECL hmR0VmxExitInvlpg(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11503	{
11504	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11505	PVM pVM = pVCpu->CTX_SUFF(pVM);
11506	Assert(!pVM->hm.s.fNestedPaging \|\| pVCpu->hm.s.fUsingDebugLoop);
11507
11508	int rc = hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
11509	rc \|= hmR0VmxSaveGuestControlRegs(pVCpu, pMixedCtx);
11510	AssertRCReturn(rc, rc);
11511
11512	VBOXSTRICTRC rcStrict = EMInterpretInvlpg(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx), pVmxTransient->uExitQualification);
11513	if (RT_LIKELY(rcStrict == VINF_SUCCESS))
11514	rcStrict = hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
11515	else
11516	AssertMsg(rcStrict == VERR_EM_INTERPRETER, ("hmR0VmxExitInvlpg: EMInterpretInvlpg %#RX64 failed with %Rrc\n",
11517	pVmxTransient->uExitQualification, VBOXSTRICTRC_VAL(rcStrict)));
11518	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitInvlpg);
11519	return rcStrict;
11520	}
11521
11522
11523	/**
11524	* VM-exit handler for MONITOR (VMX_EXIT_MONITOR). Conditional VM-exit.
11525	*/
11526	HMVMX_EXIT_DECL hmR0VmxExitMonitor(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11527	{
11528	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11529	int rc = hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
11530	rc \|= hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx);
11531	rc \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
11532	AssertRCReturn(rc, rc);
11533
11534	PVM pVM = pVCpu->CTX_SUFF(pVM);
11535	rc = EMInterpretMonitor(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx));
11536	if (RT_LIKELY(rc == VINF_SUCCESS))
11537	rc = hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
11538	else
11539	{
11540	AssertMsg(rc == VERR_EM_INTERPRETER, ("hmR0VmxExitMonitor: EMInterpretMonitor failed with %Rrc\n", rc));
11541	rc = VERR_EM_INTERPRETER;
11542	}
11543	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitMonitor);
11544	return rc;
11545	}
11546
11547
11548	/**
11549	* VM-exit handler for MWAIT (VMX_EXIT_MWAIT). Conditional VM-exit.
11550	*/
11551	HMVMX_EXIT_DECL hmR0VmxExitMwait(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11552	{
11553	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11554	int rc = hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
11555	rc \|= hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx);
11556	rc \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
11557	AssertRCReturn(rc, rc);
11558
11559	PVM pVM = pVCpu->CTX_SUFF(pVM);
11560	VBOXSTRICTRC rc2 = EMInterpretMWait(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx));
11561	rc = VBOXSTRICTRC_VAL(rc2);
11562	if (RT_LIKELY( rc == VINF_SUCCESS
11563	\|\| rc == VINF_EM_HALT))
11564	{
11565	int rc3 = hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
11566	AssertRCReturn(rc3, rc3);
11567
11568	if ( rc == VINF_EM_HALT
11569	&& EMMonitorWaitShouldContinue(pVCpu, pMixedCtx))
11570	{
11571	rc = VINF_SUCCESS;
11572	}
11573	}
11574	else
11575	{
11576	AssertMsg(rc == VERR_EM_INTERPRETER, ("hmR0VmxExitMwait: EMInterpretMWait failed with %Rrc\n", rc));
11577	rc = VERR_EM_INTERPRETER;
11578	}
11579	AssertMsg(rc == VINF_SUCCESS \|\| rc == VINF_EM_HALT \|\| rc == VERR_EM_INTERPRETER,
11580	("hmR0VmxExitMwait: failed, invalid error code %Rrc\n", rc));
11581	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitMwait);
11582	return rc;
11583	}
11584
11585
11586	/**
11587	* VM-exit handler for RSM (VMX_EXIT_RSM). Unconditional VM-exit.
11588	*/
11589	HMVMX_EXIT_NSRC_DECL hmR0VmxExitRsm(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11590	{
11591	/*
11592	* Execution of RSM outside of SMM mode causes #UD regardless of VMX root or VMX non-root mode. In theory, we should never
11593	* get this VM-exit. This can happen only if dual-monitor treatment of SMI and VMX is enabled, which can (only?) be done by
11594	* executing VMCALL in VMX root operation. If we get here, something funny is going on.
11595	* See Intel spec. "33.15.5 Enabling the Dual-Monitor Treatment".
11596	*/
11597	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11598	AssertMsgFailed(("Unexpected RSM VM-exit. pVCpu=%p pMixedCtx=%p\n", pVCpu, pMixedCtx));
11599	HMVMX_RETURN_UNEXPECTED_EXIT();
11600	}
11601
11602
11603	/**
11604	* VM-exit handler for SMI (VMX_EXIT_SMI). Unconditional VM-exit.
11605	*/
11606	HMVMX_EXIT_NSRC_DECL hmR0VmxExitSmi(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11607	{
11608	/*
11609	* This can only happen if we support dual-monitor treatment of SMI, which can be activated by executing VMCALL in VMX
11610	* root operation. Only an STM (SMM transfer monitor) would get this VM-exit when we (the executive monitor) execute a VMCALL
11611	* in VMX root mode or receive an SMI. If we get here, something funny is going on.
11612	* See Intel spec. "33.15.6 Activating the Dual-Monitor Treatment" and Intel spec. 25.3 "Other Causes of VM-Exits"
11613	*/
11614	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11615	AssertMsgFailed(("Unexpected SMI VM-exit. pVCpu=%p pMixedCtx=%p\n", pVCpu, pMixedCtx));
11616	HMVMX_RETURN_UNEXPECTED_EXIT();
11617	}
11618
11619
11620	/**
11621	* VM-exit handler for IO SMI (VMX_EXIT_IO_SMI). Unconditional VM-exit.
11622	*/
11623	HMVMX_EXIT_NSRC_DECL hmR0VmxExitIoSmi(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11624	{
11625	/* Same treatment as VMX_EXIT_SMI. See comment in hmR0VmxExitSmi(). */
11626	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11627	AssertMsgFailed(("Unexpected IO SMI VM-exit. pVCpu=%p pMixedCtx=%p\n", pVCpu, pMixedCtx));
11628	HMVMX_RETURN_UNEXPECTED_EXIT();
11629	}
11630
11631
11632	/**
11633	* VM-exit handler for SIPI (VMX_EXIT_SIPI). Conditional VM-exit.
11634	*/
11635	HMVMX_EXIT_NSRC_DECL hmR0VmxExitSipi(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11636	{
11637	/*
11638	* SIPI exits can only occur in VMX non-root operation when the "wait-for-SIPI" guest activity state is used. We currently
11639	* don't make use of it (see hmR0VmxLoadGuestActivityState()) as our guests don't have direct access to the host LAPIC.
11640	* See Intel spec. 25.3 "Other Causes of VM-exits".
11641	*/
11642	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11643	AssertMsgFailed(("Unexpected SIPI VM-exit. pVCpu=%p pMixedCtx=%p\n", pVCpu, pMixedCtx));
11644	HMVMX_RETURN_UNEXPECTED_EXIT();
11645	}
11646
11647
11648	/**
11649	* VM-exit handler for INIT signal (VMX_EXIT_INIT_SIGNAL). Unconditional
11650	* VM-exit.
11651	*/
11652	HMVMX_EXIT_NSRC_DECL hmR0VmxExitInitSignal(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11653	{
11654	/*
11655	* INIT signals are blocked in VMX root operation by VMXON and by SMI in SMM.
11656	* See Intel spec. 33.14.1 Default Treatment of SMI Delivery" and Intel spec. 29.3 "VMX Instructions" for "VMXON".
11657	*
11658	* It is -NOT- blocked in VMX non-root operation so we can, in theory, still get these VM-exits.
11659	* See Intel spec. "23.8 Restrictions on VMX operation".
11660	*/
11661	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11662	return VINF_SUCCESS;
11663	}
11664
11665
11666	/**
11667	* VM-exit handler for triple faults (VMX_EXIT_TRIPLE_FAULT). Unconditional
11668	* VM-exit.
11669	*/
11670	HMVMX_EXIT_DECL hmR0VmxExitTripleFault(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11671	{
11672	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11673	return VINF_EM_RESET;
11674	}
11675
11676
11677	/**
11678	* VM-exit handler for HLT (VMX_EXIT_HLT). Conditional VM-exit.
11679	*/
11680	HMVMX_EXIT_DECL hmR0VmxExitHlt(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11681	{
11682	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11683	Assert(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_HLT_EXIT);
11684
11685	int rc = hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
11686	AssertRCReturn(rc, rc);
11687
11688	if (EMShouldContinueAfterHalt(pVCpu, pMixedCtx)) /* Requires eflags. */
11689	rc = VINF_SUCCESS;
11690	else
11691	rc = VINF_EM_HALT;
11692
11693	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitHlt);
11694	if (rc != VINF_SUCCESS)
11695	STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchHltToR3);
11696	return rc;
11697	}
11698
11699
11700	/**
11701	* VM-exit handler for instructions that result in a \#UD exception delivered to
11702	* the guest.
11703	*/
11704	HMVMX_EXIT_NSRC_DECL hmR0VmxExitSetPendingXcptUD(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11705	{
11706	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11707	hmR0VmxSetPendingXcptUD(pVCpu, pMixedCtx);
11708	return VINF_SUCCESS;
11709	}
11710
11711
11712	/**
11713	* VM-exit handler for expiry of the VMX preemption timer.
11714	*/
11715	HMVMX_EXIT_DECL hmR0VmxExitPreemptTimer(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11716	{
11717	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11718
11719	/* If the preemption-timer has expired, reinitialize the preemption timer on next VM-entry. */
11720	pVmxTransient->fUpdateTscOffsettingAndPreemptTimer = true;
11721
11722	/* If there are any timer events pending, fall back to ring-3, otherwise resume guest execution. */
11723	PVM pVM = pVCpu->CTX_SUFF(pVM);
11724	bool fTimersPending = TMTimerPollBool(pVM, pVCpu);
11725	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitPreemptTimer);
11726	return fTimersPending ? VINF_EM_RAW_TIMER_PENDING : VINF_SUCCESS;
11727	}
11728
11729
11730	/**
11731	* VM-exit handler for XSETBV (VMX_EXIT_XSETBV). Unconditional VM-exit.
11732	*/
11733	HMVMX_EXIT_DECL hmR0VmxExitXsetbv(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11734	{
11735	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11736
11737	int rc = hmR0VmxReadExitInstrLenVmcs(pVmxTransient);
11738	rc \|= hmR0VmxSaveGuestRegsForIemExec(pVCpu, pMixedCtx, false /fMemory/, false /fNeedRsp/);
11739	rc \|= hmR0VmxSaveGuestCR4(pVCpu, pMixedCtx);
11740	AssertRCReturn(rc, rc);
11741
11742	VBOXSTRICTRC rcStrict = IEMExecDecodedXsetbv(pVCpu, pVmxTransient->cbInstr);
11743	HMCPU_CF_SET(pVCpu, rcStrict != VINF_IEM_RAISED_XCPT ? HM_CHANGED_GUEST_RIP \| HM_CHANGED_GUEST_RFLAGS : HM_CHANGED_ALL_GUEST);
11744
11745	pVCpu->hm.s.fLoadSaveGuestXcr0 = (pMixedCtx->cr4 & X86_CR4_OSXSAVE) && pMixedCtx->aXcr[0] != ASMGetXcr0();
11746
11747	return rcStrict;
11748	}
11749
11750
11751	/**
11752	* VM-exit handler for INVPCID (VMX_EXIT_INVPCID). Conditional VM-exit.
11753	*/
11754	HMVMX_EXIT_DECL hmR0VmxExitInvpcid(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11755	{
11756	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11757
11758	/* The guest should not invalidate the host CPU's TLBs, fallback to interpreter. */
11759	/** @todo implement EMInterpretInvpcid() */
11760	return VERR_EM_INTERPRETER;
11761	}
11762
11763
11764	/**
11765	* VM-exit handler for invalid-guest-state (VMX_EXIT_ERR_INVALID_GUEST_STATE).
11766	* Error VM-exit.
11767	*/
11768	HMVMX_EXIT_NSRC_DECL hmR0VmxExitErrInvalidGuestState(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11769	{
11770	int rc = hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
11771	AssertRCReturn(rc, rc);
11772
11773	rc = hmR0VmxCheckVmcsCtls(pVCpu);
11774	AssertRCReturn(rc, rc);
11775
11776	uint32_t uInvalidReason = hmR0VmxCheckGuestState(pVCpu->CTX_SUFF(pVM), pVCpu, pMixedCtx);
11777	NOREF(uInvalidReason);
11778
11779	#ifdef VBOX_STRICT
11780	uint32_t uIntrState;
11781	RTHCUINTREG uHCReg;
11782	uint64_t u64Val;
11783	uint32_t u32Val;
11784
11785	rc = hmR0VmxReadEntryIntInfoVmcs(pVmxTransient);
11786	rc \|= hmR0VmxReadEntryXcptErrorCodeVmcs(pVmxTransient);
11787	rc \|= hmR0VmxReadEntryInstrLenVmcs(pVmxTransient);
11788	rc \|= VMXReadVmcs32(VMX_VMCS32_GUEST_INTERRUPTIBILITY_STATE, &uIntrState);
11789	AssertRCReturn(rc, rc);
11790
11791	Log4(("uInvalidReason %u\n", uInvalidReason));
11792	Log4(("VMX_VMCS32_CTRL_ENTRY_INTERRUPTION_INFO %#RX32\n", pVmxTransient->uEntryIntInfo));
11793	Log4(("VMX_VMCS32_CTRL_ENTRY_EXCEPTION_ERRCODE %#RX32\n", pVmxTransient->uEntryXcptErrorCode));
11794	Log4(("VMX_VMCS32_CTRL_ENTRY_INSTR_LENGTH %#RX32\n", pVmxTransient->cbEntryInstr));
11795	Log4(("VMX_VMCS32_GUEST_INTERRUPTIBILITY_STATE %#RX32\n", uIntrState));
11796
11797	rc = VMXReadVmcs32(VMX_VMCS_GUEST_CR0, &u32Val); AssertRC(rc);
11798	Log4(("VMX_VMCS_GUEST_CR0 %#RX32\n", u32Val));
11799	rc = VMXReadVmcsHstN(VMX_VMCS_CTRL_CR0_MASK, &uHCReg); AssertRC(rc);
11800	Log4(("VMX_VMCS_CTRL_CR0_MASK %#RHr\n", uHCReg));
11801	rc = VMXReadVmcsHstN(VMX_VMCS_CTRL_CR0_READ_SHADOW, &uHCReg); AssertRC(rc);
11802	Log4(("VMX_VMCS_CTRL_CR4_READ_SHADOW %#RHr\n", uHCReg));
11803	rc = VMXReadVmcsHstN(VMX_VMCS_CTRL_CR4_MASK, &uHCReg); AssertRC(rc);
11804	Log4(("VMX_VMCS_CTRL_CR4_MASK %#RHr\n", uHCReg));
11805	rc = VMXReadVmcsHstN(VMX_VMCS_CTRL_CR4_READ_SHADOW, &uHCReg); AssertRC(rc);
11806	Log4(("VMX_VMCS_CTRL_CR4_READ_SHADOW %#RHr\n", uHCReg));
11807	rc = VMXReadVmcs64(VMX_VMCS64_CTRL_EPTP_FULL, &u64Val); AssertRC(rc);
11808	Log4(("VMX_VMCS64_CTRL_EPTP_FULL %#RX64\n", u64Val));
11809	#else
11810	NOREF(pVmxTransient);
11811	#endif
11812
11813	HMDumpRegs(pVCpu->CTX_SUFF(pVM), pVCpu, pMixedCtx);
11814	return VERR_VMX_INVALID_GUEST_STATE;
11815	}
11816
11817
11818	/**
11819	* VM-exit handler for VM-entry failure due to an MSR-load
11820	* (VMX_EXIT_ERR_MSR_LOAD). Error VM-exit.
11821	*/
11822	HMVMX_EXIT_NSRC_DECL hmR0VmxExitErrMsrLoad(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11823	{
11824	NOREF(pVmxTransient);
11825	AssertMsgFailed(("Unexpected MSR-load exit. pVCpu=%p pMixedCtx=%p\n", pVCpu, pMixedCtx)); NOREF(pMixedCtx);
11826	HMVMX_RETURN_UNEXPECTED_EXIT();
11827	}
11828
11829
11830	/**
11831	* VM-exit handler for VM-entry failure due to a machine-check event
11832	* (VMX_EXIT_ERR_MACHINE_CHECK). Error VM-exit.
11833	*/
11834	HMVMX_EXIT_NSRC_DECL hmR0VmxExitErrMachineCheck(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11835	{
11836	NOREF(pVmxTransient);
11837	AssertMsgFailed(("Unexpected machine-check event exit. pVCpu=%p pMixedCtx=%p\n", pVCpu, pMixedCtx)); NOREF(pMixedCtx);
11838	HMVMX_RETURN_UNEXPECTED_EXIT();
11839	}
11840
11841
11842	/**
11843	* VM-exit handler for all undefined reasons. Should never ever happen.. in
11844	* theory.
11845	*/
11846	HMVMX_EXIT_NSRC_DECL hmR0VmxExitErrUndefined(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11847	{
11848	AssertMsgFailed(("Huh!? Undefined VM-exit reason %d. pVCpu=%p pMixedCtx=%p\n", pVmxTransient->uExitReason, pVCpu, pMixedCtx));
11849	NOREF(pVCpu); NOREF(pMixedCtx); NOREF(pVmxTransient);
11850	return VERR_VMX_UNDEFINED_EXIT_CODE;
11851	}
11852
11853
11854	/**
11855	* VM-exit handler for XDTR (LGDT, SGDT, LIDT, SIDT) accesses
11856	* (VMX_EXIT_XDTR_ACCESS) and LDT and TR access (LLDT, LTR, SLDT, STR).
11857	* Conditional VM-exit.
11858	*/
11859	HMVMX_EXIT_DECL hmR0VmxExitXdtrAccess(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11860	{
11861	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11862
11863	/* By default, we don't enable VMX_VMCS_CTRL_PROC_EXEC2_DESCRIPTOR_TABLE_EXIT. */
11864	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitXdtrAccess);
11865	if (pVCpu->hm.s.vmx.u32ProcCtls2 & VMX_VMCS_CTRL_PROC_EXEC2_DESCRIPTOR_TABLE_EXIT)
11866	return VERR_EM_INTERPRETER;
11867	AssertMsgFailed(("Unexpected XDTR access. pVCpu=%p pMixedCtx=%p\n", pVCpu, pMixedCtx));
11868	HMVMX_RETURN_UNEXPECTED_EXIT();
11869	}
11870
11871
11872	/**
11873	* VM-exit handler for RDRAND (VMX_EXIT_RDRAND). Conditional VM-exit.
11874	*/
11875	HMVMX_EXIT_DECL hmR0VmxExitRdrand(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11876	{
11877	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11878
11879	/* By default, we don't enable VMX_VMCS_CTRL_PROC_EXEC2_RDRAND_EXIT. */
11880	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitRdrand);
11881	if (pVCpu->hm.s.vmx.u32ProcCtls2 & VMX_VMCS_CTRL_PROC_EXEC2_RDRAND_EXIT)
11882	return VERR_EM_INTERPRETER;
11883	AssertMsgFailed(("Unexpected RDRAND exit. pVCpu=%p pMixedCtx=%p\n", pVCpu, pMixedCtx));
11884	HMVMX_RETURN_UNEXPECTED_EXIT();
11885	}
11886
11887
11888	/**
11889	* VM-exit handler for RDMSR (VMX_EXIT_RDMSR).
11890	*/
11891	HMVMX_EXIT_DECL hmR0VmxExitRdmsr(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11892	{
11893	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11894
11895	/* EMInterpretRdmsr() requires CR0, Eflags and SS segment register. */
11896	int rc = hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
11897	rc \|= hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx);
11898	rc \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
11899	if (!(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS))
11900	{
11901	rc \|= hmR0VmxSaveGuestLazyMsrs(pVCpu, pMixedCtx);
11902	rc \|= hmR0VmxSaveGuestAutoLoadStoreMsrs(pVCpu, pMixedCtx);
11903	}
11904	AssertRCReturn(rc, rc);
11905	Log4(("ecx=%#RX32\n", pMixedCtx->ecx));
11906
11907	#ifdef VBOX_STRICT
11908	if (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS)
11909	{
11910	if ( hmR0VmxIsAutoLoadStoreGuestMsr(pVCpu, pMixedCtx->ecx)
11911	&& pMixedCtx->ecx != MSR_K6_EFER)
11912	{
11913	AssertMsgFailed(("Unexpected RDMSR for an MSR in the auto-load/store area in the VMCS. ecx=%#RX32\n",
11914	pMixedCtx->ecx));
11915	HMVMX_RETURN_UNEXPECTED_EXIT();
11916	}
11917	if (hmR0VmxIsLazyGuestMsr(pVCpu, pMixedCtx->ecx))
11918	{
11919	VMXMSREXITREAD enmRead;
11920	VMXMSREXITWRITE enmWrite;
11921	int rc2 = hmR0VmxGetMsrPermission(pVCpu, pMixedCtx->ecx, &enmRead, &enmWrite);
11922	AssertRCReturn(rc2, rc2);
11923	if (enmRead == VMXMSREXIT_PASSTHRU_READ)
11924	{
11925	AssertMsgFailed(("Unexpected RDMSR for a passthru lazy-restore MSR. ecx=%#RX32\n", pMixedCtx->ecx));
11926	HMVMX_RETURN_UNEXPECTED_EXIT();
11927	}
11928	}
11929	}
11930	#endif
11931
11932	PVM pVM = pVCpu->CTX_SUFF(pVM);
11933	rc = EMInterpretRdmsr(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx));
11934	AssertMsg(rc == VINF_SUCCESS \|\| rc == VERR_EM_INTERPRETER,
11935	("hmR0VmxExitRdmsr: failed, invalid error code %Rrc\n", rc));
11936	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitRdmsr);
11937	if (RT_SUCCESS(rc))
11938	{
11939	rc = hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
11940	Assert(pVmxTransient->cbInstr == 2);
11941	}
11942	return rc;
11943	}
11944
11945
11946	/**
11947	* VM-exit handler for WRMSR (VMX_EXIT_WRMSR).
11948	*/
11949	HMVMX_EXIT_DECL hmR0VmxExitWrmsr(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11950	{
11951	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11952	PVM pVM = pVCpu->CTX_SUFF(pVM);
11953	int rc = VINF_SUCCESS;
11954
11955	/* EMInterpretWrmsr() requires CR0, EFLAGS and SS segment register. */
11956	rc = hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
11957	rc \|= hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx);
11958	rc \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
11959	if (!(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS))
11960	{
11961	rc \|= hmR0VmxSaveGuestLazyMsrs(pVCpu, pMixedCtx);
11962	rc \|= hmR0VmxSaveGuestAutoLoadStoreMsrs(pVCpu, pMixedCtx);
11963	}
11964	AssertRCReturn(rc, rc);
11965	Log4(("ecx=%#RX32 edx:eax=%#RX32:%#RX32\n", pMixedCtx->ecx, pMixedCtx->edx, pMixedCtx->eax));
11966
11967	rc = EMInterpretWrmsr(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx));
11968	AssertMsg(rc == VINF_SUCCESS \|\| rc == VERR_EM_INTERPRETER, ("hmR0VmxExitWrmsr: failed, invalid error code %Rrc\n", rc));
11969	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitWrmsr);
11970
11971	if (RT_SUCCESS(rc))
11972	{
11973	rc = hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
11974
11975	/* If this is an X2APIC WRMSR access, update the APIC state as well. */
11976	if ( pMixedCtx->ecx >= MSR_IA32_X2APIC_START
11977	&& pMixedCtx->ecx <= MSR_IA32_X2APIC_END)
11978	{
11979	/* We've already saved the APIC related guest-state (TPR) in hmR0VmxPostRunGuest(). When full APIC register
11980	* virtualization is implemented we'll have to make sure APIC state is saved from the VMCS before
11981	EMInterpretWrmsr() changes it. */
11982	HMCPU_CF_SET(pVCpu, HM_CHANGED_VMX_GUEST_APIC_STATE);
11983	}
11984	else if (pMixedCtx->ecx == MSR_IA32_TSC) /* Windows 7 does this during bootup. See @bugref{6398}. */
11985	pVmxTransient->fUpdateTscOffsettingAndPreemptTimer = true;
11986	else if (pMixedCtx->ecx == MSR_K6_EFER)
11987	{
11988	/*
11989	* If the guest touches EFER we need to update the VM-Entry and VM-Exit controls as well,
11990	* even if it is -not- touching bits that cause paging mode changes (LMA/LME). We care about
11991	* the other bits as well, SCE and NXE. See @bugref{7368}.
11992	*/
11993	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_EFER_MSR \| HM_CHANGED_VMX_ENTRY_CTLS \| HM_CHANGED_VMX_EXIT_CTLS);
11994	}
11995
11996	/* Update MSRs that are part of the VMCS and auto-load/store area when MSR-bitmaps are not supported. */
11997	if (!(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS))
11998	{
11999	switch (pMixedCtx->ecx)
12000	{
12001	case MSR_IA32_SYSENTER_CS: HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_SYSENTER_CS_MSR); break;
12002	case MSR_IA32_SYSENTER_EIP: HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_SYSENTER_EIP_MSR); break;
12003	case MSR_IA32_SYSENTER_ESP: HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_SYSENTER_ESP_MSR); break;
12004	case MSR_K8_FS_BASE: /* no break */
12005	case MSR_K8_GS_BASE: HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_SEGMENT_REGS); break;
12006	case MSR_K6_EFER: /* already handled above */ break;
12007	default:
12008	{
12009	if (hmR0VmxIsAutoLoadStoreGuestMsr(pVCpu, pMixedCtx->ecx))
12010	HMCPU_CF_SET(pVCpu, HM_CHANGED_VMX_GUEST_AUTO_MSRS);
12011	else if (hmR0VmxIsLazyGuestMsr(pVCpu, pMixedCtx->ecx))
12012	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_LAZY_MSRS);
12013	break;
12014	}
12015	}
12016	}
12017	#ifdef VBOX_STRICT
12018	else
12019	{
12020	/* Paranoia. Validate that MSRs in the MSR-bitmaps with write-passthru are not intercepted. */
12021	switch (pMixedCtx->ecx)
12022	{
12023	case MSR_IA32_SYSENTER_CS:
12024	case MSR_IA32_SYSENTER_EIP:
12025	case MSR_IA32_SYSENTER_ESP:
12026	case MSR_K8_FS_BASE:
12027	case MSR_K8_GS_BASE:
12028	{
12029	AssertMsgFailed(("Unexpected WRMSR for an MSR in the VMCS. ecx=%#RX32\n", pMixedCtx->ecx));
12030	HMVMX_RETURN_UNEXPECTED_EXIT();
12031	}
12032
12033	/* Writes to MSRs in auto-load/store area/swapped MSRs, shouldn't cause VM-exits with MSR-bitmaps. */
12034	default:
12035	{
12036	if (hmR0VmxIsAutoLoadStoreGuestMsr(pVCpu, pMixedCtx->ecx))
12037	{
12038	/* EFER writes are always intercepted, see hmR0VmxLoadGuestMsrs(). */
12039	if (pMixedCtx->ecx != MSR_K6_EFER)
12040	{
12041	AssertMsgFailed(("Unexpected WRMSR for an MSR in the auto-load/store area in the VMCS. ecx=%#RX32\n",
12042	pMixedCtx->ecx));
12043	HMVMX_RETURN_UNEXPECTED_EXIT();
12044	}
12045	}
12046
12047	if (hmR0VmxIsLazyGuestMsr(pVCpu, pMixedCtx->ecx))
12048	{
12049	VMXMSREXITREAD enmRead;
12050	VMXMSREXITWRITE enmWrite;
12051	int rc2 = hmR0VmxGetMsrPermission(pVCpu, pMixedCtx->ecx, &enmRead, &enmWrite);
12052	AssertRCReturn(rc2, rc2);
12053	if (enmWrite == VMXMSREXIT_PASSTHRU_WRITE)
12054	{
12055	AssertMsgFailed(("Unexpected WRMSR for passthru, lazy-restore MSR. ecx=%#RX32\n", pMixedCtx->ecx));
12056	HMVMX_RETURN_UNEXPECTED_EXIT();
12057	}
12058	}
12059	break;
12060	}
12061	}
12062	}
12063	#endif /* VBOX_STRICT */
12064	}
12065	return rc;
12066	}
12067
12068
12069	/**
12070	* VM-exit handler for PAUSE (VMX_EXIT_PAUSE). Conditional VM-exit.
12071	*/
12072	HMVMX_EXIT_DECL hmR0VmxExitPause(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
12073	{
12074	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
12075
12076	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitPause);
12077	return VINF_EM_RAW_INTERRUPT;
12078	}
12079
12080
12081	/**
12082	* VM-exit handler for when the TPR value is lowered below the specified
12083	* threshold (VMX_EXIT_TPR_BELOW_THRESHOLD). Conditional VM-exit.
12084	*/
12085	HMVMX_EXIT_NSRC_DECL hmR0VmxExitTprBelowThreshold(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
12086	{
12087	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
12088	Assert(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_TPR_SHADOW);
12089
12090	/*
12091	* The TPR has already been updated, see hmR0VMXPostRunGuest(). RIP is also updated as part of the VM-exit by VT-x. Update
12092	* the threshold in the VMCS, deliver the pending interrupt via hmR0VmxPreRunGuest()->hmR0VmxInjectPendingEvent() and
12093	* resume guest execution.
12094	*/
12095	HMCPU_CF_SET(pVCpu, HM_CHANGED_VMX_GUEST_APIC_STATE);
12096	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitTprBelowThreshold);
12097	return VINF_SUCCESS;
12098	}
12099
12100
12101	/**
12102	* VM-exit handler for control-register accesses (VMX_EXIT_MOV_CRX). Conditional
12103	* VM-exit.
12104	*
12105	* @retval VINF_SUCCESS when guest execution can continue.
12106	* @retval VINF_PGM_CHANGE_MODE when shadow paging mode changed, back to ring-3.
12107	* @retval VINF_PGM_SYNC_CR3 CR3 sync is required, back to ring-3.
12108	* @retval VERR_EM_INTERPRETER when something unexpected happened, fallback to
12109	* interpreter.
12110	*/
12111	HMVMX_EXIT_DECL hmR0VmxExitMovCRx(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
12112	{
12113	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
12114	STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatExitMovCRx, y2);
12115	int rc = hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
12116	rc \|= hmR0VmxReadExitInstrLenVmcs(pVmxTransient);
12117	AssertRCReturn(rc, rc);
12118
12119	RTGCUINTPTR const uExitQualification = pVmxTransient->uExitQualification;
12120	uint32_t const uAccessType = VMX_EXIT_QUALIFICATION_CRX_ACCESS(uExitQualification);
12121	PVM pVM = pVCpu->CTX_SUFF(pVM);
12122	VBOXSTRICTRC rcStrict;
12123	rc = hmR0VmxSaveGuestRegsForIemExec(pVCpu, pMixedCtx, false /fMemory/, true /fNeedRsp/);
12124	switch (uAccessType)
12125	{
12126	case VMX_EXIT_QUALIFICATION_CRX_ACCESS_WRITE: /* MOV to CRx */
12127	{
12128	rc \|= hmR0VmxSaveGuestControlRegs(pVCpu, pMixedCtx);
12129	AssertRCReturn(rc, rc);
12130
12131	rcStrict = IEMExecDecodedMovCRxWrite(pVCpu, pVmxTransient->cbInstr,
12132	VMX_EXIT_QUALIFICATION_CRX_REGISTER(uExitQualification),
12133	VMX_EXIT_QUALIFICATION_CRX_GENREG(uExitQualification));
12134	AssertMsg( rcStrict == VINF_SUCCESS \|\| rcStrict == VINF_IEM_RAISED_XCPT \|\| rcStrict == VINF_PGM_CHANGE_MODE
12135	\|\| rcStrict == VINF_PGM_SYNC_CR3, ("%Rrc\n", VBOXSTRICTRC_VAL(rcStrict)));
12136	switch (VMX_EXIT_QUALIFICATION_CRX_REGISTER(uExitQualification))
12137	{
12138	case 0: /* CR0 */
12139	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_CR0);
12140	Log4(("CRX CR0 write rcStrict=%Rrc CR0=%#RX64\n", VBOXSTRICTRC_VAL(rcStrict), pMixedCtx->cr0));
12141	break;
12142	case 2: /* CR2 */
12143	/* Nothing to do here, CR2 it's not part of the VMCS. */
12144	break;
12145	case 3: /* CR3 */
12146	Assert(!pVM->hm.s.fNestedPaging \|\| !CPUMIsGuestPagingEnabledEx(pMixedCtx) \|\| pVCpu->hm.s.fUsingDebugLoop);
12147	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_CR3);
12148	Log4(("CRX CR3 write rcStrict=%Rrc CR3=%#RX64\n", VBOXSTRICTRC_VAL(rcStrict), pMixedCtx->cr3));
12149	break;
12150	case 4: /* CR4 */
12151	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_CR4);
12152	Log4(("CRX CR4 write rc=%Rrc CR4=%#RX64 fLoadSaveGuestXcr0=%u\n",
12153	VBOXSTRICTRC_VAL(rcStrict), pMixedCtx->cr4, pVCpu->hm.s.fLoadSaveGuestXcr0));
12154	break;
12155	case 8: /* CR8 */
12156	Assert(!(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_TPR_SHADOW));
12157	/* CR8 contains the APIC TPR. Was updated by IEMExecDecodedMovCRxWrite(). */
12158	HMCPU_CF_SET(pVCpu, HM_CHANGED_VMX_GUEST_APIC_STATE);
12159	break;
12160	default:
12161	AssertMsgFailed(("Invalid CRx register %#x\n", VMX_EXIT_QUALIFICATION_CRX_REGISTER(uExitQualification)));
12162	break;
12163	}
12164
12165	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitCRxWrite[VMX_EXIT_QUALIFICATION_CRX_REGISTER(uExitQualification)]);
12166	break;
12167	}
12168
12169	case VMX_EXIT_QUALIFICATION_CRX_ACCESS_READ: /* MOV from CRx */
12170	{
12171	rc \|= hmR0VmxSaveGuestControlRegs(pVCpu, pMixedCtx);
12172	AssertRCReturn(rc, rc);
12173
12174	Assert( !pVM->hm.s.fNestedPaging
12175	\|\| !CPUMIsGuestPagingEnabledEx(pMixedCtx)
12176	\|\| pVCpu->hm.s.fUsingDebugLoop
12177	\|\| VMX_EXIT_QUALIFICATION_CRX_REGISTER(uExitQualification) != 3);
12178
12179	/* CR8 reads only cause a VM-exit when the TPR shadow feature isn't enabled. */
12180	Assert( VMX_EXIT_QUALIFICATION_CRX_REGISTER(uExitQualification) != 8
12181	\|\| !(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_TPR_SHADOW));
12182
12183	rcStrict = IEMExecDecodedMovCRxRead(pVCpu, pVmxTransient->cbInstr,
12184	VMX_EXIT_QUALIFICATION_CRX_GENREG(uExitQualification),
12185	VMX_EXIT_QUALIFICATION_CRX_REGISTER(uExitQualification));
12186	AssertMsg(rcStrict == VINF_SUCCESS \|\| rcStrict == VINF_IEM_RAISED_XCPT, ("%Rrc\n", VBOXSTRICTRC_VAL(rcStrict)));
12187	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitCRxRead[VMX_EXIT_QUALIFICATION_CRX_REGISTER(uExitQualification)]);
12188	Log4(("CRX CR%d Read access rcStrict=%Rrc\n", VMX_EXIT_QUALIFICATION_CRX_REGISTER(uExitQualification),
12189	VBOXSTRICTRC_VAL(rcStrict)));
12190	break;
12191	}
12192
12193	case VMX_EXIT_QUALIFICATION_CRX_ACCESS_CLTS: /* CLTS (Clear Task-Switch Flag in CR0) */
12194	{
12195	AssertRCReturn(rc, rc);
12196	rcStrict = IEMExecDecodedClts(pVCpu, pVmxTransient->cbInstr);
12197	AssertMsg(rcStrict == VINF_SUCCESS \|\| rcStrict == VINF_IEM_RAISED_XCPT, ("%Rrc\n", VBOXSTRICTRC_VAL(rcStrict)));
12198	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_CR0);
12199	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitClts);
12200	Log4(("CRX CLTS rcStrict=%d\n", VBOXSTRICTRC_VAL(rcStrict)));
12201	break;
12202	}
12203
12204	case VMX_EXIT_QUALIFICATION_CRX_ACCESS_LMSW: /* LMSW (Load Machine-Status Word into CR0) */
12205	{
12206	AssertRCReturn(rc, rc);
12207	rcStrict = IEMExecDecodedLmsw(pVCpu, pVmxTransient->cbInstr,
12208	VMX_EXIT_QUALIFICATION_CRX_LMSW_DATA(uExitQualification));
12209	AssertMsg(rcStrict == VINF_SUCCESS \|\| rcStrict == VINF_IEM_RAISED_XCPT \|\| rcStrict == VINF_PGM_CHANGE_MODE,
12210	("%Rrc\n", VBOXSTRICTRC_VAL(rcStrict)));
12211	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitLmsw);
12212	Log4(("CRX LMSW rcStrict=%d\n", VBOXSTRICTRC_VAL(rcStrict)));
12213	break;
12214	}
12215
12216	default:
12217	AssertMsgFailedReturn(("Invalid access-type in Mov CRx VM-exit qualification %#x\n", uAccessType),
12218	VERR_VMX_UNEXPECTED_EXCEPTION);
12219	}
12220
12221	HMCPU_CF_SET(pVCpu, rcStrict != VINF_IEM_RAISED_XCPT ? HM_CHANGED_GUEST_RIP \| HM_CHANGED_GUEST_RFLAGS : HM_CHANGED_ALL_GUEST);
12222	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExitMovCRx, y2);
12223	NOREF(pVM);
12224	return rcStrict;
12225	}
12226
12227
12228	/**
12229	* VM-exit handler for I/O instructions (VMX_EXIT_IO_INSTR). Conditional
12230	* VM-exit.
12231	*/
12232	HMVMX_EXIT_DECL hmR0VmxExitIoInstr(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
12233	{
12234	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
12235	STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatExitIO, y1);
12236
12237	int rc2 = hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
12238	rc2 \|= hmR0VmxReadExitInstrLenVmcs(pVmxTransient);
12239	rc2 \|= hmR0VmxSaveGuestRip(pVCpu, pMixedCtx);
12240	rc2 \|= hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx); /* Eflag checks in EMInterpretDisasCurrent(). */
12241	rc2 \|= hmR0VmxSaveGuestControlRegs(pVCpu, pMixedCtx); /* CR0 checks & PGM* in EMInterpretDisasCurrent(). */
12242	rc2 \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx); /* SELM checks in EMInterpretDisasCurrent(). */
12243	/* EFER also required for longmode checks in EMInterpretDisasCurrent(), but it's always up-to-date. */
12244	AssertRCReturn(rc2, rc2);
12245
12246	/* Refer Intel spec. 27-5. "Exit Qualifications for I/O Instructions" for the format. */
12247	uint32_t uIOPort = VMX_EXIT_QUALIFICATION_IO_PORT(pVmxTransient->uExitQualification);
12248	uint8_t uIOWidth = VMX_EXIT_QUALIFICATION_IO_WIDTH(pVmxTransient->uExitQualification);
12249	bool fIOWrite = ( VMX_EXIT_QUALIFICATION_IO_DIRECTION(pVmxTransient->uExitQualification)
12250	== VMX_EXIT_QUALIFICATION_IO_DIRECTION_OUT);
12251	bool fIOString = VMX_EXIT_QUALIFICATION_IO_IS_STRING(pVmxTransient->uExitQualification);
12252	bool fGstStepping = RT_BOOL(pMixedCtx->eflags.Bits.u1TF);
12253	bool fDbgStepping = pVCpu->hm.s.fSingleInstruction;
12254	AssertReturn(uIOWidth <= 3 && uIOWidth != 2, VERR_VMX_IPE_1);
12255
12256	/* I/O operation lookup arrays. */
12257	static uint32_t const s_aIOSizes[4] = { 1, 2, 0, 4 }; /* Size of the I/O accesses. */
12258	static uint32_t const s_aIOOpAnd[4] = { 0xff, 0xffff, 0, 0xffffffff }; /* AND masks for saving the result (in AL/AX/EAX). */
12259
12260	VBOXSTRICTRC rcStrict;
12261	uint32_t const cbValue = s_aIOSizes[uIOWidth];
12262	uint32_t const cbInstr = pVmxTransient->cbInstr;
12263	bool fUpdateRipAlready = false; /* ugly hack, should be temporary. */
12264	PVM pVM = pVCpu->CTX_SUFF(pVM);
12265	if (fIOString)
12266	{
12267	#ifdef VBOX_WITH_2ND_IEM_STEP /* This used to gurus with debian 32-bit guest without NP (on ATA reads).
12268	See @bugref{5752#c158}. Should work now. */
12269	/*
12270	* INS/OUTS - I/O String instruction.
12271	*
12272	* Use instruction-information if available, otherwise fall back on
12273	* interpreting the instruction.
12274	*/
12275	Log4(("CS:RIP=%04x:%08RX64 %#06x/%u %c str\n", pMixedCtx->cs.Sel, pMixedCtx->rip, uIOPort, cbValue,
12276	fIOWrite ? 'w' : 'r'));
12277	AssertReturn(pMixedCtx->dx == uIOPort, VERR_VMX_IPE_2);
12278	if (MSR_IA32_VMX_BASIC_INFO_VMCS_INS_OUTS(pVM->hm.s.vmx.Msrs.u64BasicInfo))
12279	{
12280	rc2 = hmR0VmxReadExitInstrInfoVmcs(pVmxTransient);
12281	/** @todo optimize this, IEM should request the additional state if it needs it (GP, PF, ++). */
12282	rc2 \|= hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
12283	AssertRCReturn(rc2, rc2);
12284	AssertReturn(pVmxTransient->ExitInstrInfo.StrIo.u3AddrSize <= 2, VERR_VMX_IPE_3);
12285	AssertCompile(IEMMODE_16BIT == 0 && IEMMODE_32BIT == 1 && IEMMODE_64BIT == 2);
12286	IEMMODE enmAddrMode = (IEMMODE)pVmxTransient->ExitInstrInfo.StrIo.u3AddrSize;
12287	bool fRep = VMX_EXIT_QUALIFICATION_IO_IS_REP(pVmxTransient->uExitQualification);
12288	if (fIOWrite)
12289	{
12290	rcStrict = IEMExecStringIoWrite(pVCpu, cbValue, enmAddrMode, fRep, cbInstr,
12291	pVmxTransient->ExitInstrInfo.StrIo.iSegReg, true /fIoChecked/);
12292	}
12293	else
12294	{
12295	/*
12296	* The segment prefix for INS cannot be overridden and is always ES. We can safely assume X86_SREG_ES.
12297	* Hence "iSegReg" field is undefined in the instruction-information field in VT-x for INS.
12298	* See Intel Instruction spec. for "INS".
12299	* See Intel spec. Table 27-8 "Format of the VM-Exit Instruction-Information Field as Used for INS and OUTS".
12300	*/
12301	rcStrict = IEMExecStringIoRead(pVCpu, cbValue, enmAddrMode, fRep, cbInstr, true /fIoChecked/);
12302	}
12303	}
12304	else
12305	{
12306	/** @todo optimize this, IEM should request the additional state if it needs it (GP, PF, ++). */
12307	rc2 = hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
12308	AssertRCReturn(rc2, rc2);
12309	rcStrict = IEMExecOne(pVCpu);
12310	}
12311	/** @todo IEM needs to be setting these flags somehow. */
12312	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP);
12313	fUpdateRipAlready = true;
12314	#else
12315	PDISCPUSTATE pDis = &pVCpu->hm.s.DisState;
12316	rcStrict = EMInterpretDisasCurrent(pVM, pVCpu, pDis, NULL /* pcbInstr */);
12317	if (RT_SUCCESS(rcStrict))
12318	{
12319	if (fIOWrite)
12320	{
12321	rcStrict = IOMInterpretOUTSEx(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx), uIOPort, pDis->fPrefix,
12322	(DISCPUMODE)pDis->uAddrMode, cbValue);
12323	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitIOStringWrite);
12324	}
12325	else
12326	{
12327	rcStrict = IOMInterpretINSEx(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx), uIOPort, pDis->fPrefix,
12328	(DISCPUMODE)pDis->uAddrMode, cbValue);
12329	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitIOStringRead);
12330	}
12331	}
12332	else
12333	{
12334	AssertMsg(rcStrict == VERR_EM_INTERPRETER, ("rcStrict=%Rrc RIP=%#RX64\n", VBOXSTRICTRC_VAL(rcStrict),
12335	pMixedCtx->rip));
12336	rcStrict = VINF_EM_RAW_EMULATE_INSTR;
12337	}
12338	#endif
12339	}
12340	else
12341	{
12342	/*
12343	* IN/OUT - I/O instruction.
12344	*/
12345	Log4(("CS:RIP=%04x:%08RX64 %#06x/%u %c\n", pMixedCtx->cs.Sel, pMixedCtx->rip, uIOPort, cbValue, fIOWrite ? 'w' : 'r'));
12346	uint32_t const uAndVal = s_aIOOpAnd[uIOWidth];
12347	Assert(!VMX_EXIT_QUALIFICATION_IO_IS_REP(pVmxTransient->uExitQualification));
12348	if (fIOWrite)
12349	{
12350	rcStrict = IOMIOPortWrite(pVM, pVCpu, uIOPort, pMixedCtx->eax & uAndVal, cbValue);
12351	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitIOWrite);
12352	}
12353	else
12354	{
12355	uint32_t u32Result = 0;
12356	rcStrict = IOMIOPortRead(pVM, pVCpu, uIOPort, &u32Result, cbValue);
12357	if (IOM_SUCCESS(rcStrict))
12358	{
12359	/* Save result of I/O IN instr. in AL/AX/EAX. */
12360	pMixedCtx->eax = (pMixedCtx->eax & ~uAndVal) \| (u32Result & uAndVal);
12361	}
12362	else if (rcStrict == VINF_IOM_R3_IOPORT_READ)
12363	HMR0SavePendingIOPortRead(pVCpu, pMixedCtx->rip, pMixedCtx->rip + cbInstr, uIOPort, uAndVal, cbValue);
12364	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitIORead);
12365	}
12366	}
12367
12368	if (IOM_SUCCESS(rcStrict))
12369	{
12370	if (!fUpdateRipAlready)
12371	{
12372	hmR0VmxAdvanceGuestRipBy(pVCpu, pMixedCtx, cbInstr);
12373	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP);
12374	}
12375
12376	/*
12377	* INS/OUTS with REP prefix updates RFLAGS, can be observed with triple-fault guru while booting Fedora 17 64-bit guest.
12378	* See Intel Instruction reference for REP/REPE/REPZ/REPNE/REPNZ.
12379	*/
12380	if (fIOString)
12381	{
12382	/** @todo Single-step for INS/OUTS with REP prefix? */
12383	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RFLAGS);
12384	}
12385	else if ( !fDbgStepping
12386	&& fGstStepping)
12387	{
12388	hmR0VmxSetPendingDebugXcptVmcs(pVCpu);
12389	}
12390
12391	/*
12392	* If any I/O breakpoints are armed, we need to check if one triggered
12393	* and take appropriate action.
12394	* Note that the I/O breakpoint type is undefined if CR4.DE is 0.
12395	*/
12396	rc2 = hmR0VmxSaveGuestDR7(pVCpu, pMixedCtx);
12397	AssertRCReturn(rc2, rc2);
12398
12399	/** @todo Optimize away the DBGFBpIsHwIoArmed call by having DBGF tell the
12400	* execution engines about whether hyper BPs and such are pending. */
12401	uint32_t const uDr7 = pMixedCtx->dr[7];
12402	if (RT_UNLIKELY( ( (uDr7 & X86_DR7_ENABLED_MASK)
12403	&& X86_DR7_ANY_RW_IO(uDr7)
12404	&& (pMixedCtx->cr4 & X86_CR4_DE))
12405	\|\| DBGFBpIsHwIoArmed(pVM)))
12406	{
12407	STAM_COUNTER_INC(&pVCpu->hm.s.StatDRxIoCheck);
12408
12409	/* We're playing with the host CPU state here, make sure we don't preempt or longjmp. */
12410	VMMRZCallRing3Disable(pVCpu);
12411	HM_DISABLE_PREEMPT();
12412
12413	bool fIsGuestDbgActive = CPUMR0DebugStateMaybeSaveGuest(pVCpu, true /* fDr6 */);
12414
12415	VBOXSTRICTRC rcStrict2 = DBGFBpCheckIo(pVM, pVCpu, pMixedCtx, uIOPort, cbValue);
12416	if (rcStrict2 == VINF_EM_RAW_GUEST_TRAP)
12417	{
12418	/* Raise #DB. */
12419	if (fIsGuestDbgActive)
12420	ASMSetDR6(pMixedCtx->dr[6]);
12421	if (pMixedCtx->dr[7] != uDr7)
12422	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_DEBUG);
12423
12424	hmR0VmxSetPendingXcptDB(pVCpu, pMixedCtx);
12425	}
12426	/* rcStrict is VINF_SUCCESS, VINF_IOM_R3_IOPORT_COMMIT_WRITE, or in [VINF_EM_FIRST..VINF_EM_LAST],
12427	however we can ditch VINF_IOM_R3_IOPORT_COMMIT_WRITE as it has VMCPU_FF_IOM as backup. */
12428	else if ( rcStrict2 != VINF_SUCCESS
12429	&& (rcStrict == VINF_SUCCESS \|\| rcStrict2 < rcStrict))
12430	rcStrict = rcStrict2;
12431	AssertCompile(VINF_EM_LAST < VINF_IOM_R3_IOPORT_COMMIT_WRITE);
12432
12433	HM_RESTORE_PREEMPT();
12434	VMMRZCallRing3Enable(pVCpu);
12435	}
12436	}
12437
12438	#ifdef VBOX_STRICT
12439	if (rcStrict == VINF_IOM_R3_IOPORT_READ)
12440	Assert(!fIOWrite);
12441	else if (rcStrict == VINF_IOM_R3_IOPORT_WRITE \|\| rcStrict == VINF_IOM_R3_IOPORT_COMMIT_WRITE)
12442	Assert(fIOWrite);
12443	else
12444	{
12445	#if 0 /** @todo r=bird: This is missing a bunch of VINF_EM_FIRST..VINF_EM_LAST
12446	* statuses, that the VMM device and some others may return. See
12447	* IOM_SUCCESS() for guidance. */
12448	AssertMsg( RT_FAILURE(rcStrict)
12449	\|\| rcStrict == VINF_SUCCESS
12450	\|\| rcStrict == VINF_EM_RAW_EMULATE_INSTR
12451	\|\| rcStrict == VINF_EM_DBG_BREAKPOINT
12452	\|\| rcStrict == VINF_EM_RAW_GUEST_TRAP
12453	\|\| rcStrict == VINF_EM_RAW_TO_R3
12454	\|\| rcStrict == VINF_TRPM_XCPT_DISPATCHED, ("%Rrc\n", VBOXSTRICTRC_VAL(rcStrict)));
12455	#endif
12456	}
12457	#endif
12458
12459	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExitIO, y1);
12460	return rcStrict;
12461	}
12462
12463
12464	/**
12465	* VM-exit handler for task switches (VMX_EXIT_TASK_SWITCH). Unconditional
12466	* VM-exit.
12467	*/
12468	HMVMX_EXIT_DECL hmR0VmxExitTaskSwitch(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
12469	{
12470	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
12471
12472	/* Check if this task-switch occurred while delivery an event through the guest IDT. */
12473	int rc = hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
12474	AssertRCReturn(rc, rc);
12475	if (VMX_EXIT_QUALIFICATION_TASK_SWITCH_TYPE(pVmxTransient->uExitQualification) == VMX_EXIT_QUALIFICATION_TASK_SWITCH_TYPE_IDT)
12476	{
12477	rc = hmR0VmxReadIdtVectoringInfoVmcs(pVmxTransient);
12478	AssertRCReturn(rc, rc);
12479	if (VMX_IDT_VECTORING_INFO_VALID(pVmxTransient->uIdtVectoringInfo))
12480	{
12481	uint32_t uIntType = VMX_IDT_VECTORING_INFO_TYPE(pVmxTransient->uIdtVectoringInfo);
12482
12483	uint32_t uVector = VMX_IDT_VECTORING_INFO_VECTOR(pVmxTransient->uIdtVectoringInfo);
12484	bool fErrorCodeValid = VMX_IDT_VECTORING_INFO_ERROR_CODE_IS_VALID(pVmxTransient->uIdtVectoringInfo);
12485
12486	/* Save it as a pending event and it'll be converted to a TRPM event on the way out to ring-3. */
12487	Assert(!pVCpu->hm.s.Event.fPending);
12488	pVCpu->hm.s.Event.fPending = true;
12489	pVCpu->hm.s.Event.u64IntInfo = pVmxTransient->uIdtVectoringInfo;
12490	rc = hmR0VmxReadIdtVectoringErrorCodeVmcs(pVmxTransient);
12491	AssertRCReturn(rc, rc);
12492	if (fErrorCodeValid)
12493	pVCpu->hm.s.Event.u32ErrCode = pVmxTransient->uIdtVectoringErrorCode;
12494	else
12495	pVCpu->hm.s.Event.u32ErrCode = 0;
12496	if ( uIntType == VMX_IDT_VECTORING_INFO_TYPE_HW_XCPT
12497	&& uVector == X86_XCPT_PF)
12498	{
12499	pVCpu->hm.s.Event.GCPtrFaultAddress = pMixedCtx->cr2;
12500	}
12501
12502	Log4(("Pending event on TaskSwitch uIntType=%#x uVector=%#x\n", uIntType, uVector));
12503	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitTaskSwitch);
12504	return VINF_EM_RAW_INJECT_TRPM_EVENT;
12505	}
12506	}
12507
12508	/** @todo Emulate task switch someday, currently just going back to ring-3 for
12509	* emulation. */
12510	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitTaskSwitch);
12511	return VERR_EM_INTERPRETER;
12512	}
12513
12514
12515	/**
12516	* VM-exit handler for monitor-trap-flag (VMX_EXIT_MTF). Conditional VM-exit.
12517	*/
12518	HMVMX_EXIT_DECL hmR0VmxExitMtf(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
12519	{
12520	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
12521	Assert(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_MONITOR_TRAP_FLAG);
12522	pVCpu->hm.s.vmx.u32ProcCtls &= ~VMX_VMCS_CTRL_PROC_EXEC_MONITOR_TRAP_FLAG;
12523	int rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls);
12524	AssertRCReturn(rc, rc);
12525	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitMtf);
12526	return VINF_EM_DBG_STEPPED;
12527	}
12528
12529
12530	/**
12531	* VM-exit handler for APIC access (VMX_EXIT_APIC_ACCESS). Conditional VM-exit.
12532	*/
12533	HMVMX_EXIT_DECL hmR0VmxExitApicAccess(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
12534	{
12535	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
12536
12537	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitApicAccess);
12538
12539	/* If this VM-exit occurred while delivering an event through the guest IDT, handle it accordingly. */
12540	VBOXSTRICTRC rcStrict1 = hmR0VmxCheckExitDueToEventDelivery(pVCpu, pMixedCtx, pVmxTransient);
12541	if (RT_LIKELY(rcStrict1 == VINF_SUCCESS))
12542	{
12543	/* For some crazy guest, if an event delivery causes an APIC-access VM-exit, go to instruction emulation. */
12544	if (RT_UNLIKELY(pVCpu->hm.s.Event.fPending))
12545	{
12546	STAM_COUNTER_INC(&pVCpu->hm.s.StatInjectPendingInterpret);
12547	return VERR_EM_INTERPRETER;
12548	}
12549	}
12550	else
12551	{
12552	if (rcStrict1 == VINF_HM_DOUBLE_FAULT)
12553	rcStrict1 = VINF_SUCCESS;
12554	return rcStrict1;
12555	}
12556
12557	#if 0
12558	/** @todo Investigate if IOMMMIOPhysHandler() requires a lot of state, for now
12559	* just sync the whole thing. */
12560	int rc = hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
12561	#else
12562	/* Aggressive state sync. for now. */
12563	int rc = hmR0VmxSaveGuestRipRspRflags(pVCpu, pMixedCtx);
12564	rc \|= hmR0VmxSaveGuestControlRegs(pVCpu, pMixedCtx);
12565	rc \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
12566	#endif
12567	rc \|= hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
12568	AssertRCReturn(rc, rc);
12569
12570	/* See Intel spec. 27-6 "Exit Qualifications for APIC-access VM-exits from Linear Accesses & Guest-Phyiscal Addresses" */
12571	uint32_t uAccessType = VMX_EXIT_QUALIFICATION_APIC_ACCESS_TYPE(pVmxTransient->uExitQualification);
12572	VBOXSTRICTRC rcStrict2;
12573	switch (uAccessType)
12574	{
12575	case VMX_APIC_ACCESS_TYPE_LINEAR_WRITE:
12576	case VMX_APIC_ACCESS_TYPE_LINEAR_READ:
12577	{
12578	AssertMsg( !(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_TPR_SHADOW)
12579	\|\| VMX_EXIT_QUALIFICATION_APIC_ACCESS_OFFSET(pVmxTransient->uExitQualification) != 0x80,
12580	("hmR0VmxExitApicAccess: can't access TPR offset while using TPR shadowing.\n"));
12581
12582	RTGCPHYS GCPhys = pMixedCtx->msrApicBase; /* Always up-to-date, msrApicBase is not part of the VMCS. */
12583	GCPhys &= PAGE_BASE_GC_MASK;
12584	GCPhys += VMX_EXIT_QUALIFICATION_APIC_ACCESS_OFFSET(pVmxTransient->uExitQualification);
12585	PVM pVM = pVCpu->CTX_SUFF(pVM);
12586	Log4(("ApicAccess uAccessType=%#x GCPhys=%#RGp Off=%#x\n", uAccessType, GCPhys,
12587	VMX_EXIT_QUALIFICATION_APIC_ACCESS_OFFSET(pVmxTransient->uExitQualification)));
12588
12589	rcStrict2 = IOMMMIOPhysHandler(pVM, pVCpu,
12590	uAccessType == VMX_APIC_ACCESS_TYPE_LINEAR_READ ? 0 : X86_TRAP_PF_RW,
12591	CPUMCTX2CORE(pMixedCtx), GCPhys);
12592	Log4(("ApicAccess rcStrict2=%d\n", VBOXSTRICTRC_VAL(rcStrict2)));
12593	if ( rcStrict2 == VINF_SUCCESS
12594	\|\| rcStrict2 == VERR_PAGE_TABLE_NOT_PRESENT
12595	\|\| rcStrict2 == VERR_PAGE_NOT_PRESENT)
12596	{
12597	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP
12598	\| HM_CHANGED_GUEST_RSP
12599	\| HM_CHANGED_GUEST_RFLAGS
12600	\| HM_CHANGED_VMX_GUEST_APIC_STATE);
12601	rcStrict2 = VINF_SUCCESS;
12602	}
12603	break;
12604	}
12605
12606	default:
12607	Log4(("ApicAccess uAccessType=%#x\n", uAccessType));
12608	rcStrict2 = VINF_EM_RAW_EMULATE_INSTR;
12609	break;
12610	}
12611
12612	if (rcStrict2 != VINF_SUCCESS)
12613	STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchApicAccessToR3);
12614	return rcStrict2;
12615	}
12616
12617
12618	/**
12619	* VM-exit handler for debug-register accesses (VMX_EXIT_MOV_DRX). Conditional
12620	* VM-exit.
12621	*/
12622	HMVMX_EXIT_DECL hmR0VmxExitMovDRx(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
12623	{
12624	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
12625
12626	/* We should -not- get this VM-exit if the guest's debug registers were active. */
12627	if (pVmxTransient->fWasGuestDebugStateActive)
12628	{
12629	AssertMsgFailed(("Unexpected MOV DRx exit. pVCpu=%p pMixedCtx=%p\n", pVCpu, pMixedCtx));
12630	HMVMX_RETURN_UNEXPECTED_EXIT();
12631	}
12632
12633	if ( !pVCpu->hm.s.fSingleInstruction
12634	&& !pVmxTransient->fWasHyperDebugStateActive)
12635	{
12636	Assert(!DBGFIsStepping(pVCpu));
12637	Assert(pVCpu->hm.s.vmx.u32XcptBitmap & RT_BIT_32(X86_XCPT_DB));
12638
12639	/* Don't intercept MOV DRx any more. */
12640	pVCpu->hm.s.vmx.u32ProcCtls &= ~VMX_VMCS_CTRL_PROC_EXEC_MOV_DR_EXIT;
12641	int rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls);
12642	AssertRCReturn(rc, rc);
12643
12644	/* We're playing with the host CPU state here, make sure we can't preempt or longjmp. */
12645	VMMRZCallRing3Disable(pVCpu);
12646	HM_DISABLE_PREEMPT();
12647
12648	/* Save the host & load the guest debug state, restart execution of the MOV DRx instruction. */
12649	CPUMR0LoadGuestDebugState(pVCpu, true /* include DR6 */);
12650	Assert(CPUMIsGuestDebugStateActive(pVCpu) \|\| HC_ARCH_BITS == 32);
12651
12652	HM_RESTORE_PREEMPT();
12653	VMMRZCallRing3Enable(pVCpu);
12654
12655	#ifdef VBOX_WITH_STATISTICS
12656	rc = hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
12657	AssertRCReturn(rc, rc);
12658	if (VMX_EXIT_QUALIFICATION_DRX_DIRECTION(pVmxTransient->uExitQualification) == VMX_EXIT_QUALIFICATION_DRX_DIRECTION_WRITE)
12659	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitDRxWrite);
12660	else
12661	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitDRxRead);
12662	#endif
12663	STAM_COUNTER_INC(&pVCpu->hm.s.StatDRxContextSwitch);
12664	return VINF_SUCCESS;
12665	}
12666
12667	/*
12668	* EMInterpretDRx[Write\|Read]() calls CPUMIsGuestIn64BitCode() which requires EFER, CS. EFER is always up-to-date.
12669	* Update the segment registers and DR7 from the CPU.
12670	*/
12671	int rc = hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
12672	rc \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
12673	rc \|= hmR0VmxSaveGuestDR7(pVCpu, pMixedCtx);
12674	AssertRCReturn(rc, rc);
12675	Log4(("CS:RIP=%04x:%08RX64\n", pMixedCtx->cs.Sel, pMixedCtx->rip));
12676
12677	PVM pVM = pVCpu->CTX_SUFF(pVM);
12678	if (VMX_EXIT_QUALIFICATION_DRX_DIRECTION(pVmxTransient->uExitQualification) == VMX_EXIT_QUALIFICATION_DRX_DIRECTION_WRITE)
12679	{
12680	rc = EMInterpretDRxWrite(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx),
12681	VMX_EXIT_QUALIFICATION_DRX_REGISTER(pVmxTransient->uExitQualification),
12682	VMX_EXIT_QUALIFICATION_DRX_GENREG(pVmxTransient->uExitQualification));
12683	if (RT_SUCCESS(rc))
12684	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_DEBUG);
12685	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitDRxWrite);
12686	}
12687	else
12688	{
12689	rc = EMInterpretDRxRead(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx),
12690	VMX_EXIT_QUALIFICATION_DRX_GENREG(pVmxTransient->uExitQualification),
12691	VMX_EXIT_QUALIFICATION_DRX_REGISTER(pVmxTransient->uExitQualification));
12692	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitDRxRead);
12693	}
12694
12695	Assert(rc == VINF_SUCCESS \|\| rc == VERR_EM_INTERPRETER);
12696	if (RT_SUCCESS(rc))
12697	{
12698	int rc2 = hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
12699	AssertRCReturn(rc2, rc2);
12700	return VINF_SUCCESS;
12701	}
12702	return rc;
12703	}
12704
12705
12706	/**
12707	* VM-exit handler for EPT misconfiguration (VMX_EXIT_EPT_MISCONFIG).
12708	* Conditional VM-exit.
12709	*/
12710	HMVMX_EXIT_DECL hmR0VmxExitEptMisconfig(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
12711	{
12712	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
12713	Assert(pVCpu->CTX_SUFF(pVM)->hm.s.fNestedPaging);
12714
12715	/* If this VM-exit occurred while delivering an event through the guest IDT, handle it accordingly. */
12716	VBOXSTRICTRC rcStrict1 = hmR0VmxCheckExitDueToEventDelivery(pVCpu, pMixedCtx, pVmxTransient);
12717	if (RT_LIKELY(rcStrict1 == VINF_SUCCESS))
12718	{
12719	/* If event delivery causes an EPT misconfig (MMIO), go back to instruction emulation as otherwise
12720	injecting the original pending event would most likely cause the same EPT misconfig VM-exit. */
12721	if (RT_UNLIKELY(pVCpu->hm.s.Event.fPending))
12722	{
12723	STAM_COUNTER_INC(&pVCpu->hm.s.StatInjectPendingInterpret);
12724	return VERR_EM_INTERPRETER;
12725	}
12726	}
12727	else
12728	{
12729	if (rcStrict1 == VINF_HM_DOUBLE_FAULT)
12730	rcStrict1 = VINF_SUCCESS;
12731	return rcStrict1;
12732	}
12733
12734	RTGCPHYS GCPhys = 0;
12735	int rc = VMXReadVmcs64(VMX_VMCS64_EXIT_GUEST_PHYS_ADDR_FULL, &GCPhys);
12736
12737	#if 0
12738	rc \|= hmR0VmxSaveGuestState(pVCpu, pMixedCtx); /** @todo Can we do better? */
12739	#else
12740	/* Aggressive state sync. for now. */
12741	rc \|= hmR0VmxSaveGuestRipRspRflags(pVCpu, pMixedCtx);
12742	rc \|= hmR0VmxSaveGuestControlRegs(pVCpu, pMixedCtx);
12743	rc \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
12744	#endif
12745	AssertRCReturn(rc, rc);
12746
12747	/*
12748	* If we succeed, resume guest execution.
12749	* If we fail in interpreting the instruction because we couldn't get the guest physical address
12750	* of the page containing the instruction via the guest's page tables (we would invalidate the guest page
12751	* in the host TLB), resume execution which would cause a guest page fault to let the guest handle this
12752	* weird case. See @bugref{6043}.
12753	*/
12754	PVM pVM = pVCpu->CTX_SUFF(pVM);
12755	VBOXSTRICTRC rcStrict2 = PGMR0Trap0eHandlerNPMisconfig(pVM, pVCpu, PGMMODE_EPT, CPUMCTX2CORE(pMixedCtx), GCPhys, UINT32_MAX);
12756	Log4(("EPT misconfig at %#RGp RIP=%#RX64 rc=%Rrc\n", GCPhys, pMixedCtx->rip, VBOXSTRICTRC_VAL(rcStrict2)));
12757	if ( rcStrict2 == VINF_SUCCESS
12758	\|\| rcStrict2 == VERR_PAGE_TABLE_NOT_PRESENT
12759	\|\| rcStrict2 == VERR_PAGE_NOT_PRESENT)
12760	{
12761	/* Successfully handled MMIO operation. */
12762	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP
12763	\| HM_CHANGED_GUEST_RSP
12764	\| HM_CHANGED_GUEST_RFLAGS
12765	\| HM_CHANGED_VMX_GUEST_APIC_STATE);
12766	return VINF_SUCCESS;
12767	}
12768	return rcStrict2;
12769	}
12770
12771
12772	/**
12773	* VM-exit handler for EPT violation (VMX_EXIT_EPT_VIOLATION). Conditional
12774	* VM-exit.
12775	*/
12776	HMVMX_EXIT_DECL hmR0VmxExitEptViolation(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
12777	{
12778	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
12779	Assert(pVCpu->CTX_SUFF(pVM)->hm.s.fNestedPaging);
12780
12781	/* If this VM-exit occurred while delivering an event through the guest IDT, handle it accordingly. */
12782	VBOXSTRICTRC rcStrict1 = hmR0VmxCheckExitDueToEventDelivery(pVCpu, pMixedCtx, pVmxTransient);
12783	if (RT_LIKELY(rcStrict1 == VINF_SUCCESS))
12784	{
12785	/* In the unlikely case that the EPT violation happened as a result of delivering an event, log it. */
12786	if (RT_UNLIKELY(pVCpu->hm.s.Event.fPending))
12787	Log4(("EPT violation with an event pending u64IntInfo=%#RX64\n", pVCpu->hm.s.Event.u64IntInfo));
12788	}
12789	else
12790	{
12791	if (rcStrict1 == VINF_HM_DOUBLE_FAULT)
12792	rcStrict1 = VINF_SUCCESS;
12793	return rcStrict1;
12794	}
12795
12796	RTGCPHYS GCPhys = 0;
12797	int rc = VMXReadVmcs64(VMX_VMCS64_EXIT_GUEST_PHYS_ADDR_FULL, &GCPhys);
12798	rc \|= hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
12799	#if 0
12800	rc \|= hmR0VmxSaveGuestState(pVCpu, pMixedCtx); /** @todo Can we do better? */
12801	#else
12802	/* Aggressive state sync. for now. */
12803	rc \|= hmR0VmxSaveGuestRipRspRflags(pVCpu, pMixedCtx);
12804	rc \|= hmR0VmxSaveGuestControlRegs(pVCpu, pMixedCtx);
12805	rc \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
12806	#endif
12807	AssertRCReturn(rc, rc);
12808
12809	/* Intel spec. Table 27-7 "Exit Qualifications for EPT violations". */
12810	AssertMsg(((pVmxTransient->uExitQualification >> 7) & 3) != 2, ("%#RX64", pVmxTransient->uExitQualification));
12811
12812	RTGCUINT uErrorCode = 0;
12813	if (pVmxTransient->uExitQualification & VMX_EXIT_QUALIFICATION_EPT_INSTR_FETCH)
12814	uErrorCode \|= X86_TRAP_PF_ID;
12815	if (pVmxTransient->uExitQualification & VMX_EXIT_QUALIFICATION_EPT_DATA_WRITE)
12816	uErrorCode \|= X86_TRAP_PF_RW;
12817	if (pVmxTransient->uExitQualification & VMX_EXIT_QUALIFICATION_EPT_ENTRY_PRESENT)
12818	uErrorCode \|= X86_TRAP_PF_P;
12819
12820	TRPMAssertXcptPF(pVCpu, GCPhys, uErrorCode);
12821
12822	Log4(("EPT violation %#x at %#RX64 ErrorCode %#x CS:RIP=%04x:%08RX64\n", pVmxTransient->uExitQualification, GCPhys,
12823	uErrorCode, pMixedCtx->cs.Sel, pMixedCtx->rip));
12824
12825	/* Handle the pagefault trap for the nested shadow table. */
12826	PVM pVM = pVCpu->CTX_SUFF(pVM);
12827	VBOXSTRICTRC rcStrict2 = PGMR0Trap0eHandlerNestedPaging(pVM, pVCpu, PGMMODE_EPT, uErrorCode, CPUMCTX2CORE(pMixedCtx), GCPhys);
12828	TRPMResetTrap(pVCpu);
12829
12830	/* Same case as PGMR0Trap0eHandlerNPMisconfig(). See comment above, @bugref{6043}. */
12831	if ( rcStrict2 == VINF_SUCCESS
12832	\|\| rcStrict2 == VERR_PAGE_TABLE_NOT_PRESENT
12833	\|\| rcStrict2 == VERR_PAGE_NOT_PRESENT)
12834	{
12835	/* Successfully synced our nested page tables. */
12836	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitReasonNpf);
12837	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP
12838	\| HM_CHANGED_GUEST_RSP
12839	\| HM_CHANGED_GUEST_RFLAGS);
12840	return VINF_SUCCESS;
12841	}
12842
12843	Log4(("EPT return to ring-3 rcStrict2=%Rrc\n", VBOXSTRICTRC_VAL(rcStrict2)));
12844	return rcStrict2;
12845	}
12846
12847	/** @} */
12848
12849	/* -=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-= */
12850	/* -=-=-=-=-=-=-=-=-=- VM-exit Exception Handlers -=-=-=-=-=-=-=-=-=-=- */
12851	/* -=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-= */
12852
12853	/** @name VM-exit exception handlers.
12854	* @{
12855	*/
12856
12857	/**
12858	* VM-exit exception handler for \#MF (Math Fault: floating point exception).
12859	*/
12860	static int hmR0VmxExitXcptMF(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
12861	{
12862	HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS();
12863	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestMF);
12864
12865	int rc = hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
12866	AssertRCReturn(rc, rc);
12867
12868	if (!(pMixedCtx->cr0 & X86_CR0_NE))
12869	{
12870	/* Convert a #MF into a FERR -> IRQ 13. See @bugref{6117}. */
12871	rc = PDMIsaSetIrq(pVCpu->CTX_SUFF(pVM), 13, 1, 0 /* uTagSrc */);
12872
12873	/** @todo r=ramshankar: The Intel spec. does -not- specify that this VM-exit
12874	* provides VM-exit instruction length. If this causes problem later,
12875	* disassemble the instruction like it's done on AMD-V. */
12876	int rc2 = hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
12877	AssertRCReturn(rc2, rc2);
12878	return rc;
12879	}
12880
12881	hmR0VmxSetPendingEvent(pVCpu, VMX_VMCS_CTRL_ENTRY_IRQ_INFO_FROM_EXIT_INT_INFO(pVmxTransient->uExitIntInfo),
12882	pVmxTransient->cbInstr, pVmxTransient->uExitIntErrorCode, 0 /* GCPtrFaultAddress */);
12883	return rc;
12884	}
12885
12886
12887	/**
12888	* VM-exit exception handler for \#BP (Breakpoint exception).
12889	*/
12890	static int hmR0VmxExitXcptBP(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
12891	{
12892	HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS();
12893	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestBP);
12894
12895	/** @todo Try optimize this by not saving the entire guest state unless
12896	* really needed. */
12897	int rc = hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
12898	AssertRCReturn(rc, rc);
12899
12900	PVM pVM = pVCpu->CTX_SUFF(pVM);
12901	rc = DBGFRZTrap03Handler(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx));
12902	if (rc == VINF_EM_RAW_GUEST_TRAP)
12903	{
12904	rc = hmR0VmxReadExitIntInfoVmcs(pVmxTransient);
12905	rc \|= hmR0VmxReadExitInstrLenVmcs(pVmxTransient);
12906	rc \|= hmR0VmxReadExitIntErrorCodeVmcs(pVmxTransient);
12907	AssertRCReturn(rc, rc);
12908
12909	hmR0VmxSetPendingEvent(pVCpu, VMX_VMCS_CTRL_ENTRY_IRQ_INFO_FROM_EXIT_INT_INFO(pVmxTransient->uExitIntInfo),
12910	pVmxTransient->cbInstr, pVmxTransient->uExitIntErrorCode, 0 /* GCPtrFaultAddress */);
12911	}
12912
12913	Assert(rc == VINF_SUCCESS \|\| rc == VINF_EM_RAW_GUEST_TRAP \|\| rc == VINF_EM_DBG_BREAKPOINT);
12914	return rc;
12915	}
12916
12917
12918	/**
12919	* VM-exit exception handler for \#AC (alignment check exception).
12920	*/
12921	static int hmR0VmxExitXcptAC(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
12922	{
12923	HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS();
12924
12925	/*
12926	* Re-inject it. We'll detect any nesting before getting here.
12927	*/
12928	int rc = hmR0VmxReadExitIntErrorCodeVmcs(pVmxTransient);
12929	rc \|= hmR0VmxReadExitInstrLenVmcs(pVmxTransient);
12930	AssertRCReturn(rc, rc);
12931	Assert(pVmxTransient->fVmcsFieldsRead & HMVMX_UPDATED_TRANSIENT_EXIT_INTERRUPTION_INFO);
12932
12933	hmR0VmxSetPendingEvent(pVCpu, VMX_VMCS_CTRL_ENTRY_IRQ_INFO_FROM_EXIT_INT_INFO(pVmxTransient->uExitIntInfo),
12934	pVmxTransient->cbInstr, pVmxTransient->uExitIntErrorCode, 0 /* GCPtrFaultAddress */);
12935	return VINF_SUCCESS;
12936	}
12937
12938
12939	/**
12940	* VM-exit exception handler for \#DB (Debug exception).
12941	*/
12942	static int hmR0VmxExitXcptDB(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
12943	{
12944	HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS();
12945	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestDB);
12946	Log6(("XcptDB\n"));
12947
12948	/*
12949	* Get the DR6-like values from the VM-exit qualification and pass it to DBGF
12950	* for processing.
12951	*/
12952	int rc = hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
12953	AssertRCReturn(rc, rc);
12954
12955	/* Refer Intel spec. Table 27-1. "Exit Qualifications for debug exceptions" for the format. */
12956	uint64_t uDR6 = X86_DR6_INIT_VAL;
12957	uDR6 \|= ( pVmxTransient->uExitQualification
12958	& (X86_DR6_B0 \| X86_DR6_B1 \| X86_DR6_B2 \| X86_DR6_B3 \| X86_DR6_BD \| X86_DR6_BS));
12959
12960	rc = DBGFRZTrap01Handler(pVCpu->CTX_SUFF(pVM), pVCpu, CPUMCTX2CORE(pMixedCtx), uDR6, pVCpu->hm.s.fSingleInstruction);
12961	if (rc == VINF_EM_RAW_GUEST_TRAP)
12962	{
12963	/*
12964	* The exception was for the guest. Update DR6, DR7.GD and
12965	* IA32_DEBUGCTL.LBR before forwarding it.
12966	* (See Intel spec. 27.1 "Architectural State before a VM-Exit".)
12967	*/
12968	VMMRZCallRing3Disable(pVCpu);
12969	HM_DISABLE_PREEMPT();
12970
12971	pMixedCtx->dr[6] &= ~X86_DR6_B_MASK;
12972	pMixedCtx->dr[6] \|= uDR6;
12973	if (CPUMIsGuestDebugStateActive(pVCpu))
12974	ASMSetDR6(pMixedCtx->dr[6]);
12975
12976	HM_RESTORE_PREEMPT();
12977	VMMRZCallRing3Enable(pVCpu);
12978
12979	rc = hmR0VmxSaveGuestDR7(pVCpu, pMixedCtx);
12980	AssertRCReturn(rc, rc);
12981
12982	/* X86_DR7_GD will be cleared if DRx accesses should be trapped inside the guest. */
12983	pMixedCtx->dr[7] &= ~X86_DR7_GD;
12984
12985	/* Paranoia. */
12986	pMixedCtx->dr[7] &= ~X86_DR7_RAZ_MASK;
12987	pMixedCtx->dr[7] \|= X86_DR7_RA1_MASK;
12988
12989	rc = VMXWriteVmcs32(VMX_VMCS_GUEST_DR7, (uint32_t)pMixedCtx->dr[7]);
12990	AssertRCReturn(rc, rc);
12991
12992	/*
12993	* Raise #DB in the guest.
12994	*
12995	* It is important to reflect what the VM-exit gave us (preserving the interruption-type) rather than use
12996	* hmR0VmxSetPendingXcptDB() as the #DB could've been raised while executing ICEBP and not the 'normal' #DB.
12997	* Thus it -may- trigger different handling in the CPU (like skipped DPL checks). See @bugref{6398}.
12998	*
12999	* Since ICEBP isn't documented on Intel, see AMD spec. 15.20 "Event Injection".
13000	*/
13001	rc = hmR0VmxReadExitIntInfoVmcs(pVmxTransient);
13002	rc \|= hmR0VmxReadExitInstrLenVmcs(pVmxTransient);
13003	rc \|= hmR0VmxReadExitIntErrorCodeVmcs(pVmxTransient);
13004	AssertRCReturn(rc, rc);
13005	hmR0VmxSetPendingEvent(pVCpu, VMX_VMCS_CTRL_ENTRY_IRQ_INFO_FROM_EXIT_INT_INFO(pVmxTransient->uExitIntInfo),
13006	pVmxTransient->cbInstr, pVmxTransient->uExitIntErrorCode, 0 /* GCPtrFaultAddress */);
13007	return VINF_SUCCESS;
13008	}
13009
13010	/*
13011	* Not a guest trap, must be a hypervisor related debug event then.
13012	* Update DR6 in case someone is interested in it.
13013	*/
13014	AssertMsg(rc == VINF_EM_DBG_STEPPED \|\| rc == VINF_EM_DBG_BREAKPOINT, ("%Rrc\n", rc));
13015	AssertReturn(pVmxTransient->fWasHyperDebugStateActive, VERR_HM_IPE_5);
13016	CPUMSetHyperDR6(pVCpu, uDR6);
13017
13018	return rc;
13019	}
13020
13021
13022	/**
13023	* VM-exit exception handler for \#NM (Device-not-available exception: floating
13024	* point exception).
13025	*/
13026	static int hmR0VmxExitXcptNM(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
13027	{
13028	HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS();
13029
13030	/* We require CR0 and EFER. EFER is always up-to-date. */
13031	int rc = hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
13032	AssertRCReturn(rc, rc);
13033
13034	/* We're playing with the host CPU state here, have to disable preemption or longjmp. */
13035	VMMRZCallRing3Disable(pVCpu);
13036	HM_DISABLE_PREEMPT();
13037
13038	/* If the guest FPU was active at the time of the #NM exit, then it's a guest fault. */
13039	if (pVmxTransient->fWasGuestFPUStateActive)
13040	{
13041	rc = VINF_EM_RAW_GUEST_TRAP;
13042	Assert(CPUMIsGuestFPUStateActive(pVCpu) \|\| HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_CR0));
13043	}
13044	else
13045	{
13046	#ifndef HMVMX_ALWAYS_TRAP_ALL_XCPTS
13047	Assert(!pVmxTransient->fWasGuestFPUStateActive \|\| pVCpu->hm.s.fUsingDebugLoop);
13048	#endif
13049	rc = CPUMR0Trap07Handler(pVCpu->CTX_SUFF(pVM), pVCpu);
13050	Assert( rc == VINF_EM_RAW_GUEST_TRAP
13051	\|\| ((rc == VINF_SUCCESS \|\| rc == VINF_CPUM_HOST_CR0_MODIFIED) && CPUMIsGuestFPUStateActive(pVCpu)));
13052	if (rc == VINF_CPUM_HOST_CR0_MODIFIED)
13053	HMCPU_CF_SET(pVCpu, HM_CHANGED_HOST_CONTEXT);
13054	}
13055
13056	HM_RESTORE_PREEMPT();
13057	VMMRZCallRing3Enable(pVCpu);
13058
13059	if (rc == VINF_SUCCESS \|\| rc == VINF_CPUM_HOST_CR0_MODIFIED)
13060	{
13061	/* Guest FPU state was activated, we'll want to change CR0 FPU intercepts before the next VM-reentry. */
13062	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_CR0);
13063	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitShadowNM);
13064	pVCpu->hm.s.fPreloadGuestFpu = true;
13065	}
13066	else
13067	{
13068	/* Forward #NM to the guest. */
13069	Assert(rc == VINF_EM_RAW_GUEST_TRAP);
13070	rc = hmR0VmxReadExitIntInfoVmcs(pVmxTransient);
13071	AssertRCReturn(rc, rc);
13072	hmR0VmxSetPendingEvent(pVCpu, VMX_VMCS_CTRL_ENTRY_IRQ_INFO_FROM_EXIT_INT_INFO(pVmxTransient->uExitIntInfo),
13073	pVmxTransient->cbInstr, 0 /* error code /, 0 / GCPtrFaultAddress */);
13074	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestNM);
13075	}
13076
13077	return VINF_SUCCESS;
13078	}
13079
13080
13081	/**
13082	* VM-exit exception handler for \#GP (General-protection exception).
13083	*
13084	* @remarks Requires pVmxTransient->uExitIntInfo to be up-to-date.
13085	*/
13086	static int hmR0VmxExitXcptGP(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
13087	{
13088	HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS();
13089	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestGP);
13090
13091	int rc;
13092	if (pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
13093	{ /* likely */ }
13094	else
13095	{
13096	#ifndef HMVMX_ALWAYS_TRAP_ALL_XCPTS
13097	Assert(pVCpu->hm.s.fUsingDebugLoop);
13098	#endif
13099	/* If the guest is not in real-mode or we have unrestricted execution support, reflect #GP to the guest. */
13100	rc = hmR0VmxReadExitIntInfoVmcs(pVmxTransient);
13101	rc \|= hmR0VmxReadExitIntErrorCodeVmcs(pVmxTransient);
13102	rc \|= hmR0VmxReadExitInstrLenVmcs(pVmxTransient);
13103	rc \|= hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
13104	AssertRCReturn(rc, rc);
13105	Log4(("#GP Gst: CS:RIP %04x:%08RX64 ErrorCode=%#x CR0=%#RX64 CPL=%u TR=%#04x\n", pMixedCtx->cs.Sel, pMixedCtx->rip,
13106	pVmxTransient->uExitIntErrorCode, pMixedCtx->cr0, CPUMGetGuestCPL(pVCpu), pMixedCtx->tr.Sel));
13107	hmR0VmxSetPendingEvent(pVCpu, VMX_VMCS_CTRL_ENTRY_IRQ_INFO_FROM_EXIT_INT_INFO(pVmxTransient->uExitIntInfo),
13108	pVmxTransient->cbInstr, pVmxTransient->uExitIntErrorCode, 0 /* GCPtrFaultAddress */);
13109	return rc;
13110	}
13111
13112	Assert(CPUMIsGuestInRealModeEx(pMixedCtx));
13113	Assert(!pVCpu->CTX_SUFF(pVM)->hm.s.vmx.fUnrestrictedGuest);
13114
13115	/* EMInterpretDisasCurrent() requires a lot of the state, save the entire state. */
13116	rc = hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
13117	AssertRCReturn(rc, rc);
13118
13119	PDISCPUSTATE pDis = &pVCpu->hm.s.DisState;
13120	uint32_t cbOp = 0;
13121	PVM pVM = pVCpu->CTX_SUFF(pVM);
13122	bool fDbgStepping = pVCpu->hm.s.fSingleInstruction;
13123	rc = EMInterpretDisasCurrent(pVM, pVCpu, pDis, &cbOp);
13124	if (RT_SUCCESS(rc))
13125	{
13126	rc = VINF_SUCCESS;
13127	Assert(cbOp == pDis->cbInstr);
13128	Log4(("#GP Disas OpCode=%u CS:EIP %04x:%04RX64\n", pDis->pCurInstr->uOpcode, pMixedCtx->cs.Sel, pMixedCtx->rip));
13129	switch (pDis->pCurInstr->uOpcode)
13130	{
13131	case OP_CLI:
13132	{
13133	pMixedCtx->eflags.Bits.u1IF = 0;
13134	pMixedCtx->eflags.Bits.u1RF = 0;
13135	pMixedCtx->rip += pDis->cbInstr;
13136	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP \| HM_CHANGED_GUEST_RFLAGS);
13137	if ( !fDbgStepping
13138	&& pMixedCtx->eflags.Bits.u1TF)
13139	hmR0VmxSetPendingDebugXcptVmcs(pVCpu);
13140	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitCli);
13141	break;
13142	}
13143
13144	case OP_STI:
13145	{
13146	bool fOldIF = pMixedCtx->eflags.Bits.u1IF;
13147	pMixedCtx->eflags.Bits.u1IF = 1;
13148	pMixedCtx->eflags.Bits.u1RF = 0;
13149	pMixedCtx->rip += pDis->cbInstr;
13150	if (!fOldIF)
13151	{
13152	EMSetInhibitInterruptsPC(pVCpu, pMixedCtx->rip);
13153	Assert(VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_INHIBIT_INTERRUPTS));
13154	}
13155	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP \| HM_CHANGED_GUEST_RFLAGS);
13156	if ( !fDbgStepping
13157	&& pMixedCtx->eflags.Bits.u1TF)
13158	hmR0VmxSetPendingDebugXcptVmcs(pVCpu);
13159	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitSti);
13160	break;
13161	}
13162
13163	case OP_HLT:
13164	{
13165	rc = VINF_EM_HALT;
13166	pMixedCtx->rip += pDis->cbInstr;
13167	pMixedCtx->eflags.Bits.u1RF = 0;
13168	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP \| HM_CHANGED_GUEST_RFLAGS);
13169	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitHlt);
13170	break;
13171	}
13172
13173	case OP_POPF:
13174	{
13175	Log4(("POPF CS:EIP %04x:%04RX64\n", pMixedCtx->cs.Sel, pMixedCtx->rip));
13176	uint32_t cbParm;
13177	uint32_t uMask;
13178	bool fGstStepping = RT_BOOL(pMixedCtx->eflags.Bits.u1TF);
13179	if (pDis->fPrefix & DISPREFIX_OPSIZE)
13180	{
13181	cbParm = 4;
13182	uMask = 0xffffffff;
13183	}
13184	else
13185	{
13186	cbParm = 2;
13187	uMask = 0xffff;
13188	}
13189
13190	/* Get the stack pointer & pop the contents of the stack onto Eflags. */
13191	RTGCPTR GCPtrStack = 0;
13192	X86EFLAGS Eflags;
13193	rc = SELMToFlatEx(pVCpu, DISSELREG_SS, CPUMCTX2CORE(pMixedCtx), pMixedCtx->esp & uMask, SELMTOFLAT_FLAGS_CPL0,
13194	&GCPtrStack);
13195	if (RT_SUCCESS(rc))
13196	{
13197	Assert(sizeof(Eflags.u32) >= cbParm);
13198	Eflags.u32 = 0;
13199	rc = VBOXSTRICTRC_TODO(PGMPhysRead(pVM, (RTGCPHYS)GCPtrStack, &Eflags.u32, cbParm, PGMACCESSORIGIN_HM));
13200	AssertMsg(rc == VINF_SUCCESS, ("%Rrc\n", rc)); /** @todo allow strict return codes here */
13201	}
13202	if (RT_FAILURE(rc))
13203	{
13204	rc = VERR_EM_INTERPRETER;
13205	break;
13206	}
13207	Log4(("POPF %#x -> %#RX64 mask=%#x RIP=%#RX64\n", Eflags.u, pMixedCtx->rsp, uMask, pMixedCtx->rip));
13208	pMixedCtx->eflags.u32 = (pMixedCtx->eflags.u32 & ~((X86_EFL_POPF_BITS & uMask) \| X86_EFL_RF))
13209	\| (Eflags.u32 & X86_EFL_POPF_BITS & uMask);
13210	pMixedCtx->esp += cbParm;
13211	pMixedCtx->esp &= uMask;
13212	pMixedCtx->rip += pDis->cbInstr;
13213	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP
13214	\| HM_CHANGED_GUEST_RSP
13215	\| HM_CHANGED_GUEST_RFLAGS);
13216	/* Generate a pending-debug exception when the guest stepping over POPF regardless of how
13217	POPF restores EFLAGS.TF. */
13218	if ( !fDbgStepping
13219	&& fGstStepping)
13220	hmR0VmxSetPendingDebugXcptVmcs(pVCpu);
13221	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitPopf);
13222	break;
13223	}
13224
13225	case OP_PUSHF:
13226	{
13227	uint32_t cbParm;
13228	uint32_t uMask;
13229	if (pDis->fPrefix & DISPREFIX_OPSIZE)
13230	{
13231	cbParm = 4;
13232	uMask = 0xffffffff;
13233	}
13234	else
13235	{
13236	cbParm = 2;
13237	uMask = 0xffff;
13238	}
13239
13240	/* Get the stack pointer & push the contents of eflags onto the stack. */
13241	RTGCPTR GCPtrStack = 0;
13242	rc = SELMToFlatEx(pVCpu, DISSELREG_SS, CPUMCTX2CORE(pMixedCtx), (pMixedCtx->esp - cbParm) & uMask,
13243	SELMTOFLAT_FLAGS_CPL0, &GCPtrStack);
13244	if (RT_FAILURE(rc))
13245	{
13246	rc = VERR_EM_INTERPRETER;
13247	break;
13248	}
13249	X86EFLAGS Eflags = pMixedCtx->eflags;
13250	/* The RF & VM bits are cleared on image stored on stack; see Intel Instruction reference for PUSHF. */
13251	Eflags.Bits.u1RF = 0;
13252	Eflags.Bits.u1VM = 0;
13253
13254	rc = VBOXSTRICTRC_TODO(PGMPhysWrite(pVM, (RTGCPHYS)GCPtrStack, &Eflags.u, cbParm, PGMACCESSORIGIN_HM));
13255	if (RT_UNLIKELY(rc != VINF_SUCCESS))
13256	{
13257	AssertMsgFailed(("%Rrc\n", rc)); /** @todo allow strict return codes here */
13258	rc = VERR_EM_INTERPRETER;
13259	break;
13260	}
13261	Log4(("PUSHF %#x -> %#RGv\n", Eflags.u, GCPtrStack));
13262	pMixedCtx->esp -= cbParm;
13263	pMixedCtx->esp &= uMask;
13264	pMixedCtx->rip += pDis->cbInstr;
13265	pMixedCtx->eflags.Bits.u1RF = 0;
13266	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP
13267	\| HM_CHANGED_GUEST_RSP
13268	\| HM_CHANGED_GUEST_RFLAGS);
13269	if ( !fDbgStepping
13270	&& pMixedCtx->eflags.Bits.u1TF)
13271	hmR0VmxSetPendingDebugXcptVmcs(pVCpu);
13272	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitPushf);
13273	break;
13274	}
13275
13276	case OP_IRET:
13277	{
13278	/** @todo Handle 32-bit operand sizes and check stack limits. See Intel
13279	* instruction reference. */
13280	RTGCPTR GCPtrStack = 0;
13281	uint32_t uMask = 0xffff;
13282	bool fGstStepping = RT_BOOL(pMixedCtx->eflags.Bits.u1TF);
13283	uint16_t aIretFrame[3];
13284	if (pDis->fPrefix & (DISPREFIX_OPSIZE \| DISPREFIX_ADDRSIZE))
13285	{
13286	rc = VERR_EM_INTERPRETER;
13287	break;
13288	}
13289	rc = SELMToFlatEx(pVCpu, DISSELREG_SS, CPUMCTX2CORE(pMixedCtx), pMixedCtx->esp & uMask, SELMTOFLAT_FLAGS_CPL0,
13290	&GCPtrStack);
13291	if (RT_SUCCESS(rc))
13292	{
13293	rc = VBOXSTRICTRC_TODO(PGMPhysRead(pVM, (RTGCPHYS)GCPtrStack, &aIretFrame[0], sizeof(aIretFrame),
13294	PGMACCESSORIGIN_HM));
13295	AssertMsg(rc == VINF_SUCCESS, ("%Rrc\n", rc)); /** @todo allow strict return codes here */
13296	}
13297	if (RT_FAILURE(rc))
13298	{
13299	rc = VERR_EM_INTERPRETER;
13300	break;
13301	}
13302	pMixedCtx->eip = 0;
13303	pMixedCtx->ip = aIretFrame[0];
13304	pMixedCtx->cs.Sel = aIretFrame[1];
13305	pMixedCtx->cs.ValidSel = aIretFrame[1];
13306	pMixedCtx->cs.u64Base = (uint64_t)pMixedCtx->cs.Sel << 4;
13307	pMixedCtx->eflags.u32 = (pMixedCtx->eflags.u32 & ((UINT32_C(0xffff0000) \| X86_EFL_1) & ~X86_EFL_RF))
13308	\| (aIretFrame[2] & X86_EFL_POPF_BITS & uMask);
13309	pMixedCtx->sp += sizeof(aIretFrame);
13310	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP
13311	\| HM_CHANGED_GUEST_SEGMENT_REGS
13312	\| HM_CHANGED_GUEST_RSP
13313	\| HM_CHANGED_GUEST_RFLAGS);
13314	/* Generate a pending-debug exception when stepping over IRET regardless of how IRET modifies EFLAGS.TF. */
13315	if ( !fDbgStepping
13316	&& fGstStepping)
13317	hmR0VmxSetPendingDebugXcptVmcs(pVCpu);
13318	Log4(("IRET %#RX32 to %04x:%04x\n", GCPtrStack, pMixedCtx->cs.Sel, pMixedCtx->ip));
13319	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitIret);
13320	break;
13321	}
13322
13323	case OP_INT:
13324	{
13325	uint16_t uVector = pDis->Param1.uValue & 0xff;
13326	hmR0VmxSetPendingIntN(pVCpu, pMixedCtx, uVector, pDis->cbInstr);
13327	/* INT clears EFLAGS.TF, we must not set any pending debug exceptions here. */
13328	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitInt);
13329	break;
13330	}
13331
13332	case OP_INTO:
13333	{
13334	if (pMixedCtx->eflags.Bits.u1OF)
13335	{
13336	hmR0VmxSetPendingXcptOF(pVCpu, pMixedCtx, pDis->cbInstr);
13337	/* INTO clears EFLAGS.TF, we must not set any pending debug exceptions here. */
13338	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitInt);
13339	}
13340	else
13341	{
13342	pMixedCtx->eflags.Bits.u1RF = 0;
13343	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RFLAGS);
13344	}
13345	break;
13346	}
13347
13348	default:
13349	{
13350	pMixedCtx->eflags.Bits.u1RF = 0; /* This is correct most of the time... */
13351	VBOXSTRICTRC rc2 = EMInterpretInstructionDisasState(pVCpu, pDis, CPUMCTX2CORE(pMixedCtx), 0 /* pvFault */,
13352	EMCODETYPE_SUPERVISOR);
13353	rc = VBOXSTRICTRC_VAL(rc2);
13354	HMCPU_CF_SET(pVCpu, HM_CHANGED_ALL_GUEST);
13355	/** @todo We have to set pending-debug exceptions here when the guest is
13356	* single-stepping depending on the instruction that was interpreted. */
13357	Log4(("#GP rc=%Rrc\n", rc));
13358	break;
13359	}
13360	}
13361	}
13362	else
13363	rc = VERR_EM_INTERPRETER;
13364
13365	AssertMsg(rc == VINF_SUCCESS \|\| rc == VERR_EM_INTERPRETER \|\| rc == VINF_PGM_CHANGE_MODE \|\| rc == VINF_EM_HALT,
13366	("#GP Unexpected rc=%Rrc\n", rc));
13367	return rc;
13368	}
13369
13370
13371	/**
13372	* VM-exit exception handler wrapper for generic exceptions. Simply re-injects
13373	* the exception reported in the VMX transient structure back into the VM.
13374	*
13375	* @remarks Requires uExitIntInfo in the VMX transient structure to be
13376	* up-to-date.
13377	*/
13378	static int hmR0VmxExitXcptGeneric(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
13379	{
13380	HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS();
13381	#ifndef HMVMX_ALWAYS_TRAP_ALL_XCPTS
13382	Assert(pVCpu->hm.s.fUsingDebugLoop);
13383	#endif
13384
13385	/* Re-inject the exception into the guest. This cannot be a double-fault condition which would have been handled in
13386	hmR0VmxCheckExitDueToEventDelivery(). */
13387	int rc = hmR0VmxReadExitIntErrorCodeVmcs(pVmxTransient);
13388	rc \|= hmR0VmxReadExitInstrLenVmcs(pVmxTransient);
13389	AssertRCReturn(rc, rc);
13390	Assert(pVmxTransient->fVmcsFieldsRead & HMVMX_UPDATED_TRANSIENT_EXIT_INTERRUPTION_INFO);
13391
13392	#ifdef DEBUG_ramshankar
13393	rc \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
13394	uint8_t uVector = VMX_EXIT_INTERRUPTION_INFO_VECTOR(pVmxTransient->uExitIntInfo);
13395	Log(("hmR0VmxExitXcptGeneric: Reinjecting Xcpt. uVector=%#x cs:rip=%#04x:%#RX64\n", uVector, pCtx->cs.Sel, pCtx->rip));
13396	#endif
13397
13398	hmR0VmxSetPendingEvent(pVCpu, VMX_VMCS_CTRL_ENTRY_IRQ_INFO_FROM_EXIT_INT_INFO(pVmxTransient->uExitIntInfo),
13399	pVmxTransient->cbInstr, pVmxTransient->uExitIntErrorCode, 0 /* GCPtrFaultAddress */);
13400	return VINF_SUCCESS;
13401	}
13402
13403
13404	/**
13405	* VM-exit exception handler for \#PF (Page-fault exception).
13406	*/
13407	static int hmR0VmxExitXcptPF(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
13408	{
13409	HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS();
13410	PVM pVM = pVCpu->CTX_SUFF(pVM);
13411	int rc = hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
13412	rc \|= hmR0VmxReadExitIntInfoVmcs(pVmxTransient);
13413	rc \|= hmR0VmxReadExitIntErrorCodeVmcs(pVmxTransient);
13414	AssertRCReturn(rc, rc);
13415
13416	if (!pVM->hm.s.fNestedPaging)
13417	{ /* likely */ }
13418	else
13419	{
13420	#if !defined(HMVMX_ALWAYS_TRAP_ALL_XCPTS) && !defined(HMVMX_ALWAYS_TRAP_PF)
13421	Assert(pVCpu->hm.s.fUsingDebugLoop);
13422	#endif
13423	pVCpu->hm.s.Event.fPending = false; /* In case it's a contributory or vectoring #PF. */
13424	if (RT_LIKELY(!pVmxTransient->fVectoringDoublePF))
13425	{
13426	pMixedCtx->cr2 = pVmxTransient->uExitQualification; /* Update here in case we go back to ring-3 before injection. */
13427	hmR0VmxSetPendingEvent(pVCpu, VMX_VMCS_CTRL_ENTRY_IRQ_INFO_FROM_EXIT_INT_INFO(pVmxTransient->uExitIntInfo),
13428	0 /* cbInstr */, pVmxTransient->uExitIntErrorCode, pVmxTransient->uExitQualification);
13429	}
13430	else
13431	{
13432	/* A guest page-fault occurred during delivery of a page-fault. Inject #DF. */
13433	hmR0VmxSetPendingXcptDF(pVCpu, pMixedCtx);
13434	Log4(("Pending #DF due to vectoring #PF. NP\n"));
13435	}
13436	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestPF);
13437	return rc;
13438	}
13439
13440	/* If it's a vectoring #PF, emulate injecting the original event injection as PGMTrap0eHandler() is incapable
13441	of differentiating between instruction emulation and event injection that caused a #PF. See @bugref{6607}. */
13442	if (pVmxTransient->fVectoringPF)
13443	{
13444	Assert(pVCpu->hm.s.Event.fPending);
13445	return VINF_EM_RAW_INJECT_TRPM_EVENT;
13446	}
13447
13448	rc = hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
13449	AssertRCReturn(rc, rc);
13450
13451	Log4(("#PF: cr2=%#RX64 cs:rip=%#04x:%#RX64 uErrCode %#RX32 cr3=%#RX64\n", pVmxTransient->uExitQualification,
13452	pMixedCtx->cs.Sel, pMixedCtx->rip, pVmxTransient->uExitIntErrorCode, pMixedCtx->cr3));
13453
13454	TRPMAssertXcptPF(pVCpu, pVmxTransient->uExitQualification, (RTGCUINT)pVmxTransient->uExitIntErrorCode);
13455	rc = PGMTrap0eHandler(pVCpu, pVmxTransient->uExitIntErrorCode, CPUMCTX2CORE(pMixedCtx),
13456	(RTGCPTR)pVmxTransient->uExitQualification);
13457
13458	Log4(("#PF: rc=%Rrc\n", rc));
13459	if (rc == VINF_SUCCESS)
13460	{
13461	#if 0
13462	/* Successfully synced shadow pages tables or emulated an MMIO instruction. */
13463	/** @todo this isn't quite right, what if guest does lgdt with some MMIO
13464	* memory? We don't update the whole state here... */
13465	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP
13466	\| HM_CHANGED_GUEST_RSP
13467	\| HM_CHANGED_GUEST_RFLAGS
13468	\| HM_CHANGED_VMX_GUEST_APIC_STATE);
13469	#else
13470	/* This is typically a shadow page table sync or a MMIO instruction. But we
13471	* may have emulated something like LTR or a far jump. Any part of the CPU
13472	* context may have changed.
13473	*/
13474	/** @todo take advantage of CPUM changed flags instead of brute forcing. */
13475	HMCPU_CF_SET(pVCpu, HM_CHANGED_ALL_GUEST);
13476	#endif
13477	TRPMResetTrap(pVCpu);
13478	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitShadowPF);
13479	return rc;
13480	}
13481
13482	if (rc == VINF_EM_RAW_GUEST_TRAP)
13483	{
13484	if (!pVmxTransient->fVectoringDoublePF)
13485	{
13486	/* It's a guest page fault and needs to be reflected to the guest. */
13487	uint32_t uGstErrorCode = TRPMGetErrorCode(pVCpu);
13488	TRPMResetTrap(pVCpu);
13489	pVCpu->hm.s.Event.fPending = false; /* In case it's a contributory #PF. */
13490	pMixedCtx->cr2 = pVmxTransient->uExitQualification; /* Update here in case we go back to ring-3 before injection. */
13491	hmR0VmxSetPendingEvent(pVCpu, VMX_VMCS_CTRL_ENTRY_IRQ_INFO_FROM_EXIT_INT_INFO(pVmxTransient->uExitIntInfo),
13492	0 /* cbInstr */, uGstErrorCode, pVmxTransient->uExitQualification);
13493	}
13494	else
13495	{
13496	/* A guest page-fault occurred during delivery of a page-fault. Inject #DF. */
13497	TRPMResetTrap(pVCpu);
13498	pVCpu->hm.s.Event.fPending = false; /* Clear pending #PF to replace it with #DF. */
13499	hmR0VmxSetPendingXcptDF(pVCpu, pMixedCtx);
13500	Log4(("#PF: Pending #DF due to vectoring #PF\n"));
13501	}
13502
13503	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestPF);
13504	return VINF_SUCCESS;
13505	}
13506
13507	TRPMResetTrap(pVCpu);
13508	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitShadowPFEM);
13509	return rc;
13510	}
13511
13512	/** @} */
13513

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/VMM/VMMR0/HMVMXR0.cpp@ 61680

Download in other formats: